Re: AIM Exploits

From: First Last (ihost@excite.com)
Date: 10/07/01


Message-ID: <1749439.1002428009845.JavaMail.imail@lucy.excite.com>
Date: Sat, 6 Oct 2001 21:13:29 -0700 (PDT)
From: First Last <ihost@excite.com>
To: VeNoMouS <venom@phreaker.net>, vuln-dev@securityfocus.com
Subject: Re: AIM Exploits

how is the font crash anything like the <!-- exploit, besides the fact that
it uses html? maybe you misunderstood, after you overload the font buffer
aim uses, sending a horizontal line will crash the client...

On Sun, 7 Oct 2001 16:12:11 +1300, VeNoMouS wrote:

  i dont think your very clued on anything here my friend,
  
> 1) Font Crash: windows aim stores recent font
> names for instant messages, and i found that by
> sending a lot of different fonts causes aim to pop up
> with a font error, and after messing around i
> discovered that lines "<HR>" crash the client (and in
> some cases the OS) after the error has popped up,
> making for a neat little crash if you send a few
> hundred fonts with a horizontal line tacked on the end
> =)
  
  this here sounds like the dos we have been talking about except its just
<--
  its a bof just like the line below
  
  
> 2) File Crash: i'm not quite sure why this crashes the
> client, but if you send a file with a very large filename,
> the client crashes, and just closes on any nt based
> OS
  well oviously they are coping the filename to an array which is only a
  certain size, its a simple out of bounds overflow
  
  ----- Original Message -----
  From: Robbie Saunders <ihost@excite.com>
  To: <vuln-dev@securityfocus.com>
  Sent: Sunday, October 07, 2001 8:07 AM
  Subject: AIM Exploits
  
  
> as a starter i'd like to correct some information about
> the comment crash, the reason you can't paste it is
> because it crashes the client, not because it's too
> big... if it was too big you wouldn't be able to send it
> an im. and it's been on aim filter and used by your
> average aim user since early august
>
> the following exploits were found and implemented by
> Robbie Saunders, although i believe the file crash
> was used before me by `CodeDreamer`
>
> 3 other exploits:
> 1) Font Crash: windows aim stores recent font
> names for instant messages, and i found that by
> sending a lot of different fonts causes aim to pop up
> with a font error, and after messing around i
> discovered that lines "<HR>" crash the client (and in
> some cases the OS) after the error has popped up,
> making for a neat little crash if you send a few
> hundred fonts with a horizontal line tacked on the end
> =)
>
> 2) File Crash: i'm not quite sure why this crashes the
> client, but if you send a file with a very large filename,
> the client crashes, and just closes on any nt based
> OS
>
> 3) Icon Crash: aim doesn't check incoming buddy
> icons to be under a certain height or width, so you
> can send an edited .gif file that may be 1k but claims
> to be very large (such as 10000x10000) and end up
> freezing the aim client for a large period of time, and
> on slow computers cause serious memory issues... i
> have tested with larger values (like 65kx65k) but it
> appears aim will pop up a memory buffer error
> instead of crashing... and apparently sending corrupt
> wav files will crash the client in the same manner
>
> If you're on windows you can use the software i
> created to exploit these bugs (AIM Filter), it can be
> found at http://www.ssnbc.com/wiz/ in software>aim
>
> aim filter is a local proxy that acts as both a server
> and client, meaning you can implement the
> crashes/features no matter what aim client you're on
> (and it's easy to use too, just type commands like
> aim.file.crash)
  

_______________________________________________________
http://inbox.excite.com