Home page logo
/

bugtraq logo Bugtraq mailing list archives

AOL Instant Messenger Servers Patched and...Un-Patched?
From: Brendan Butts <sbbutts () mediaone net>
Date: 1 Mar 2002 06:20:07 -0000



---AOL Instant Messenger Still Vulnurable to DoS 
attack---

Author: Nemisis (sbbutts () mediaone net)

Synopis-

After everything that has happened, with the game 
invite crash, File Crash, Buddy List Crash, Etc.  AOL 
patched there AIM servers, to protect users against 
these attacks and released new versions of instant 
messenger.  Sometime in the middle of January, you 
could no longer use AIM Filter, or Nemisis AIM Suite, 
to exploit these bugs.  Upon execution of a Buddy List 
Kill Attack with AIM Suite (a DoS attack that locks up 
Windows AIM 4.7 and the first 4.8 beta with an overly 
large buddylist) , your would recive..
'Error Code 14' from the server in your IM window.  
AOL's server-side block of this bug protected the 
target from having their client frozen.  Now it seems 
that they have given up there server-side block of this 
kill, and it can once again be exploited.  The newest 
AIM beta 4.8.24.64 I belive is not vulnurable to this 
attack.

Implications-

The problem is that when a user goes to 
www.AIM.com to download AIM, they are not given 
the chance out right to download the newest beta, 
you have to dig around the site to find the beta 
download page.  Instead mass amounts of users are 
downloading AIM 4.7, which is STILL vulnurable to the 
Buddy Kill DoS attack.   Why AOL fixed this problem 
on the server-side, and then un-fixed I wont even 
venture a guess on. 

Fix- 

For those who are wary to download any new Beta 
versions of AIM from AOL (and arn't we all) there is 
still the AIM Filter or Nemisis AIM Suite, alternative.  
Which are both availble at 
www.dreamscapeprod.com/nemisis 

-


  By Date           By Thread  

Current thread:
  • AOL Instant Messenger Servers Patched and...Un-Patched? Brendan Butts (Mar 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]