AIM for the Macintosh is not vulnerable as well.
On 10.03.01, Matthew Sachs <matthewg_at_zevils.com> wrote:
> (Note: I wasn't going to release this until the 8th in order to give
> AOL some time to release a fix/workaround, but since exploit scripts
> have already been posted to bugtraq...)
>
> Scope:
> Anyone who can send instant messages to a user signed on to
> the AOL Instant Messenger service can crash that user's AOL
> Instant Messenger. The default settings allow everyone to
> send the user messages. This bug does not appear to be
> exploitable for running arbitrary code.
> Confirmed Vulnerable:
> AOL Instant Messenger/Win32 4.7.2480
> AOL Instant Messenger/Win32 4.3.2229
> Confirmed Not Vulnerable:
> aimirc (all versions)
> AIM Express
> QuickBuddy
> AOL Instant Messenger/Linux 1.5.234
> Unknown:
> All other AOL Instant Messenger clients
>
> Reported to AOL on October 1st, 2001. No reply received.
>
> It is possible for any remote user to crash the AOL Instant Messenger for
> Windows, at least version 4.7.2480. The target user's visibility
> settings must allow the exploiter to send him or her IMs. When a
> message with the text "<!-- " (without the quotes) is repeated
> approximately 640 or more times, AIM crashes with the following
> error.
> AIM caused in invalid page fault in module ATK32.DLL at
> 015f:12023f63.
> Registers:
> EAX=00000000 CS=015f EIP=12023f63 EFLGS=00010246
> EBX=0063ea94 SS=0167 ESP=0063e9dc EBP=0063ea24
> ECX=0043dab0 DS=0167 ESI=0043051c FS=0e87
> EDX=00000000 KS=0167 KDI=0063ea8c GS=0000
> Bytes at CS:EIP:
> 83 78 28 00 74 08 c7 07 ff 7f 00 00 eb 06 8b 40
> Stack dump:
> 00000000 0043051c 00000409 218f0004 8a120000
> 17df0b04 00010000 00000000 00000000 00000002
> 00000000 00000302 0000000c 00000001 0000000c
> 00000000
>
> Note that it does not appear to be possible to send this message from
> AOL's Windows AOL Instant Messenger client, both because it imposes
> tighter length restrictions than the OSCAR protocol mandates and
> because it will translate < into <
>
> If the "Show 'Accept Message' dialog for messages from users not in Buddy
> List" preference is turned on and the exploiter is not in the target's
> buddylist, that dialog will appear and then AIM will immediately crash. If
> that preference is not turned on or if the exploiter is in the target's
> buddylist, an IM dialog will be created (if one does not already exist),
> and then AIM will immediately crash.
>
> This bug is already being exploited in the wild. It initially came to my
> attention through a post to the vuln-dev_at_securityfocus.com mailing list as
> well as, simultaneously, in traffic observed in the AIM sessions of users
> of my network.
>
> Suggested workaround:
> If possible, modify your privacy settings so that only users
> on your buddylist can contact you. However, this still makes
> it possible for people on your buddylist to use this
> bug against you. Until AOL releases a fix, the only other
> option is to switch to a non-vulnerable client.
> Alternatively, one can simply live with the occasional crash
> and simply restart AOL Instant Messenger. Of course,
> malicious persons could set up scripts to automatically send
> a crash-inducing message to the user as soon as he or she
> signed on to the AOL Instant Messenger service.
>
> --
> Matthew Sachs, the original nonstandard deviant
> matthewg@zevils.com http://www.zevils.com/
> GPG key: 0x600A0342 PGP key: 0x93EA1151
--
Tony Lambiris [methodic_at_slartibartfast.angrypacket.com]
http://www.openbsd.org && http://www.openssh.com
"Anyone who truly understands the power
of UNIX wouldn't use anything else."
Received on Oct 03 2001
Intro
