Re: AIM Exploits

From: First Last (ihost@excite.com)
Date: 10/07/01


Message-ID: <1749439.1002428009845.JavaMail.imail@lucy.excite.com>
Date: Sat, 6 Oct 2001 21:13:29 -0700 (PDT)
From: First Last <ihost@excite.com>
To: VeNoMouS <venom@phreaker.net>, vuln-dev@securityfocus.com
Subject: Re: AIM Exploits

how is the font crash anything like the <!-- exploit, besides the fact that
it uses html? maybe you misunderstood, after you overload the font buffer
aim uses, sending a horizontal line will crash the client...

On Sun, 7 Oct 2001 16:12:11 +1300, VeNoMouS wrote:

  i dont think your very clued on anything here my friend,
  
> 1) Font Crash: windows aim stores recent font
> names for instant messages, and i found that by
> sending a lot of different fonts causes aim to pop up
> with a font error, and after messing around i
> discovered that lines "<HR>" crash the client (and in
> some cases the OS) after the error has popped up,
> making for a neat little crash if you send a few
> hundred fonts with a horizontal line tacked on the end
> =)
  
  this here sounds like the dos we have been talking about except its just
<--
  its a bof just like the line below
  
  
> 2) File Crash: i'm not quite sure why this crashes the
> client, but if you send a file with a very large filename,
> the client crashes, and just closes on any nt based
> OS
  well oviously they are coping the filename to an array which is only a
  certain size, its a simple out of bounds overflow
  
  ----- Original Message -----
  From: Robbie Saunders <ihost@excite.com>
  To: <vuln-dev@securityfocus.com>
  Sent: Sunday, October 07, 2001 8:07 AM
  Subject: AIM Exploits
  
  
> as a starter i'd like to correct some information about
> the comment crash, the reason you can't paste it is
> because it crashes the client, not because it's too
> big... if it was too big you wouldn't be able to send it
> an im. and it's been on aim filter and used by your
> average aim user since early august
>
> the following exploits were found and implemented by
> Robbie Saunders, although i believe the file crash
> was used before me by `CodeDreamer`
>
> 3 other exploits:
> 1) Font Crash: windows aim stores recent font
> names for instant messages, and i found that by
> sending a lot of different fonts causes aim to pop up
> with a font error, and after messing around i
> discovered that lines "<HR>" crash the client (and in
> some cases the OS) after the error has popped up,
> making for a neat little crash if you send a few
> hundred fonts with a horizontal line tacked on the end
> =)
>
> 2) File Crash: i'm not quite sure why this crashes the
> client, but if you send a file with a very large filename,
> the client crashes, and just closes on any nt based
> OS
>
> 3) Icon Crash: aim doesn't check incoming buddy
> icons to be under a certain height or width, so you
> can send an edited .gif file that may be 1k but claims
> to be very large (such as 10000x10000) and end up
> freezing the aim client for a large period of time, and
> on slow computers cause serious memory issues... i
> have tested with larger values (like 65kx65k) but it
> appears aim will pop up a memory buffer error
> instead of crashing... and apparently sending corrupt
> wav files will crash the client in the same manner
>
> If you're on windows you can use the software i
> created to exploit these bugs (AIM Filter), it can be
> found at http://www.ssnbc.com/wiz/ in software>aim
>
> aim filter is a local proxy that acts as both a server
> and client, meaning you can implement the
> crashes/features no matter what aim client you're on
> (and it's easy to use too, just type commands like
> aim.file.crash)
  

_______________________________________________________
http://inbox.excite.com



Relevant Pages

  • Windows AIM Client Exploits
    ... cause an illegal operation on windows aim clients ... Comment Crash - anyone remember that neat little ... Font Buffer Crash - by sending lots of different ... html header that the client hasn't already used in the ...
    (Bugtraq)
  • AIM Exploits
    ... Subject: AIM Exploits ... because it crashes the client, ... Font Crash: ... i'm not quite sure why this crashes the ...
    (Vuln-Dev)
  • AIM Exploits
    ... Subject: AIM Exploits ... because it crashes the client, ... Font Crash: ... i'm not quite sure why this crashes the ...
    (Bugtraq)
  • Re: AIM Exploits
    ... Subject: AIM Exploits ... becos your talking bout sending a lot of font requests, ... sending a horizontal line will crash the client... ...
    (Vuln-Dev)
  • Re: MacBook Pro with a new weird AWFUL bug
    ... is an ATSUI crash. ... command-z after every alignement command. ... You should then be able to format within whole ... publisher of the font and the date and version number of the font file). ...
    (microsoft.public.mac.office.word)