Re: AIM Exploits

From: VeNoMouS (venom@phreaker.net)
Date: 10/07/01 

Message-ID: <003701c14ee9$677a4f60$3100a8c0@co.nz>
From: "VeNoMouS" <venom@phreaker.net>
To: "First Last" <ihost@excite.com>, <vuln-dev@securityfocus.com>
Subject: Re: AIM Exploits
Date: Sun, 7 Oct 2001 17:34:50 +1300

becos your talking bout sending a lot of font requests , which is basicly
<!--
if you think bout it, hell it could be XXXXXX for all it cares, its a bof
(buffer overflow) on its input by the looks of things
----- Original Message -----
From: First Last <ihost@excite.com>
To: VeNoMouS <venom@phreaker.net>; <vuln-dev@securityfocus.com>
Sent: Sunday, October 07, 2001 5:13 PM
Subject: Re: AIM Exploits

> how is the font crash anything like the <!-- exploit, besides the fact
that
> it uses html? maybe you misunderstood, after you overload the font buffer
> aim uses, sending a horizontal line will crash the client...
>
> On Sun, 7 Oct 2001 16:12:11 +1300, VeNoMouS wrote:
>
> i dont think your very clued on anything here my friend,
>
> > 1) Font Crash: windows aim stores recent font
> > names for instant messages, and i found that by
> > sending a lot of different fonts causes aim to pop up
> > with a font error, and after messing around i
> > discovered that lines "<HR>" crash the client (and in
> > some cases the OS) after the error has popped up,
> > making for a neat little crash if you send a few
> > hundred fonts with a horizontal line tacked on the end
> > =)
>
> this here sounds like the dos we have been talking about except its just
> <--
> its a bof just like the line below
>
>
> > 2) File Crash: i'm not quite sure why this crashes the
> > client, but if you send a file with a very large filename,
> > the client crashes, and just closes on any nt based
> > OS
> well oviously they are coping the filename to an array which is only a
> certain size, its a simple out of bounds overflow
>
> ----- Original Message -----
> From: Robbie Saunders <ihost@excite.com>
> To: <vuln-dev@securityfocus.com>
> Sent: Sunday, October 07, 2001 8:07 AM
> Subject: AIM Exploits
>
>
> > as a starter i'd like to correct some information about
> > the comment crash, the reason you can't paste it is
> > because it crashes the client, not because it's too
> > big... if it was too big you wouldn't be able to send it
> > an im. and it's been on aim filter and used by your
> > average aim user since early august
> >
> > the following exploits were found and implemented by
> > Robbie Saunders, although i believe the file crash
> > was used before me by `CodeDreamer`
> >
> > 3 other exploits:
> > 1) Font Crash: windows aim stores recent font
> > names for instant messages, and i found that by
> > sending a lot of different fonts causes aim to pop up
> > with a font error, and after messing around i
> > discovered that lines "<HR>" crash the client (and in
> > some cases the OS) after the error has popped up,
> > making for a neat little crash if you send a few
> > hundred fonts with a horizontal line tacked on the end
> > =)
> >
> > 2) File Crash: i'm not quite sure why this crashes the
> > client, but if you send a file with a very large filename,
> > the client crashes, and just closes on any nt based
> > OS
> >
> > 3) Icon Crash: aim doesn't check incoming buddy
> > icons to be under a certain height or width, so you
> > can send an edited .gif file that may be 1k but claims
> > to be very large (such as 10000x10000) and end up
> > freezing the aim client for a large period of time, and
> > on slow computers cause serious memory issues... i
> > have tested with larger values (like 65kx65k) but it
> > appears aim will pop up a memory buffer error
> > instead of crashing... and apparently sending corrupt
> > wav files will crash the client in the same manner
> >
> > If you're on windows you can use the software i
> > created to exploit these bugs (AIM Filter), it can be
> > found at http://www.ssnbc.com/wiz/ in software>aim
> >
> > aim filter is a local proxy that acts as both a server
> > and client, meaning you can implement the
> > crashes/features no matter what aim client you're on
> > (and it's easy to use too, just type commands like
> > aim.file.crash)
>
>
>
>
>
>
> _______________________________________________________
> http://inbox.excite.com
>
>
>

Relevant Pages

  • Windows AIM Client Exploits
    ... cause an illegal operation on windows aim clients ... Comment Crash - anyone remember that neat little ... Font Buffer Crash - by sending lots of different ... html header that the client hasn't already used in the ...
    (Bugtraq)
  • Re: AIM Exploits
    ... Subject: AIM Exploits ... after you overload the font buffer ... sending a horizontal line will crash the client... ...
    (Vuln-Dev)
  • AIM Exploits
    ... Subject: AIM Exploits ... because it crashes the client, ... Font Crash: ... i'm not quite sure why this crashes the ...
    (Bugtraq)
  • AIM Exploits
    ... Subject: AIM Exploits ... because it crashes the client, ... Font Crash: ... i'm not quite sure why this crashes the ...
    (Vuln-Dev)
  • Re: Question: Gui Looks Different
    ... The Sun Windows L&f aim to honor ... the desktop settings including the theme, font ...
    (comp.lang.java.gui)