Slashdot Mirror
AOL Instant Messenger Remote Hole
The DSL Guy writes: "The non-profit security team w00w00.org started off 2002 by uncovering a serious flaw in AOL's Instant Messenger protocol. With over 100 million people registered on the AIM service, this vulnerability poses a serious security risk for Internet users worldwide. This flaw can enable remote users to execute code on any machine logged into the AOL IM service. "So easy to hack, no wonder it's number one!" Details can be found at the w00w00 site."
We recommend Robbie Saunder's AIM Filter (http://www.ssnbc.com/wiz) to protect yourselves. A temporary solution is to go into your Preferences and in the Privacy section click "Allow Only Users on My Buddy List" under "Who can contact me."
...and now everyone has your mail!
Given that the message states AOL will do a server side fix in a day, why not wait ONE DAY before releasing the exploit details.
Since we all know the holes won't stop here, anyone who wishes to further investigate problems can start their research here and here.
...only windows machines. get your facts straight.
This does not affect the
non-Windows versions, because the non-Windows versions currently do
not yet support the feature that this vulnerability occurs in.
From the website:
"this does not affect the non-Windows versions"
The guy spends most of his time bashing the DMCA and how hard it makes to offer patches to this sort of thing without AOL's permission:
From the NTBugtraq letter:
First, the Digital Millenium Copyright Act affects circumvention of anti-piracy mechanisms and reverse engineering. If a product is released in binary form only (i.e., AOL) to protect its technologies and one attempts to reverse engineer the file, it's a violation of the DMCA. It's no question who the lobbyists behind this law were: the big corporations. Not surprisingly, AOL Time Warner was one of the DMCA's biggest supporters. Find out more information about the DMCA at http://www.anti-dmca.org.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
--
I Hit the Karma Cap, and All I Got Was This Lousy
http://www.w00w00.org/advisories/aim.html is a better link.
Hey, if you guys want open-source IM, check out http://www.jabber.org The server is open-source and it's a distributed XML-based network. Lots of different, cool clients too. JabberIM for Windows, and Gabber for Linux are the most mature ones though. There are bridges to the AIM and ICQ networks available on some servers, but the ones on Jabber.org have been blocked by AOL... nice huh?
AOL Instant Messenger (AIM) has a major security vulnerability in the
latest stable (4.7.2480) and beta (4.8.2616) Windows versions.
It's a buffer overflow, so the
_sig_ is away
I stopped using ICQ years ago because it was so script-kiddie friendly and AIM not long after. I'm quite happy using Jabber with a gateway to Yahoo Messenger, thankyouverymuch.
this is getting old and so are you
blog
The abstract for the article is in error: it reads, "The non-profit security team w00w00.org started off 2002 by uncovering a serious flaw in AOL's Instant Messenger protocol... This flaw can enable remote users to execute code on any machine logged into the AOL IM service.". The flaw isn't in the protocol itself but in the client, and therefore doesn't actually affect "any machine logged into the AOL IM service". It sounds like AOL is going to prevent the sending of exploit packets at the server level to avoid requesting all of their Windows users to upgrade, but those of us using Linux or another OS should be fine regardless.
Love justice; desire mercy.
ALWAYS, if the protocol isn't openly documented and severely tested over a communications line for security it is insecure.
I recommend the majority of people I deal with use jabber (this is not some plug for jabber; it's just at the end of the day, it's more secure and yet accomplishes the same goal AIM etc etc have)
If you are using AIM, do yourself a favor a pickup a jabber client, you won't be sorry.
How about the "you got mail" dude do one that says "j00 g0t 0wN3D"!
One of Many Instant Messenger Exploits (MIME for short), I'm sure.
{if you are going to assinate a Mime, would you use a silencer?}
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
The problem is in the implementation, not in the protocol. If it were in the protocol, that would make all clients at risk. As it is, only the official Windows client is vulnerable, because it implements game requests without checking for buffer overflow. I really don't understand why people still write code this way -- buffer overflows are so easy to prevent.
Somewhat (but only somewhat) offtopic: why on earth doesn't ./ at leas browse through the links they post? It's not like they don't have the manpower. If they'd even looked at the article, they'd have caught this...
Slashdot just linked to the story; they didn't originate it. They would've had no way to report the information (at least not in Slashdot's usual manner) without pointing people to the actual discoverer of the problem, unless AOL has an article on it somewhere.
It is very irresponsible of the original writer to post an explicit method to exploit the crack, however. At least there's one redeeming feature: the article also tells readers how to protect themselves from the crack by altering their preferences, and also that AOL is fixing the problem server-side.
The crack was/is already out there, for people who enjoy using that sort of thing. Don't blame this site for pointing people to it just because Slashdot has a higher readership.
AOL is deeply committed to your security. We use state-of-the-art technology to keep your personal information as secure as possible. We also have put in place privacy protection control systems designed to ensure that the personal data you share with AOL is safe and private. In addition, AOL keeps your password strictly confidential, and all authentication for the Service is performed on AOL's secure servers. Sites participating in the Service may not collect or store AOL password information.
From this site.
Light cup, beer drink, thin so chain, neck turtle fat, man I won't say it again
I've recently started using trillian (www.trillian.cc) for all my IMing needs... (yes, it does connect to the AIM server, among others such as MSN messenger, yahoo, and ICQ) I'm assuming it probably doesn't have this flaw, which is obviously a nice feature. And as far as I know, it's the only really solid alternative to a) having a billion separate IM programs b) using hated AOL software.
Once upon a time...
One of ICQ's was a login buffer overflow. Basically if you used licq or a NON-Mirabilis version, you could login as anyone just by using a password longer than 15 chars (IIRC).
Ok so I used it once to send two of my coworkers homo "I like to watch your ass" emails from each other...
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
well, here's yet another reason to be using TOC (as opposed to Oscar, the newer of the two AIM protocols.) TOC is/was an open protocol, and i've had very little problem with it. admittedly, it doesn't have all the "features" that Oscar has, but if all you want is chat, and you don't care a whole lot about file transfers, et al. TOC is more than sufficient. plus, unlike Oscar, AOL doesn't seem to arbitrarily change the protocol. And it seems to be more stable, server-side. I've had countless instances of hearing the dispaired cries of "AIM is down" from throughout my dorm without having a problem. TOC goes down occasionally, but not nearly as much, from my experience.
as for clients, i recommend Gaim for Linux. You can select the TOC protocol in the Account Editor window.
<asbestos>yes, i know there's a million things that Oscar can do that TOC can't. but I don't care. TOC just works better from my experience, especially when clients have to release new versions to work around AOL changing the Oscar protocol slightly in order to screw over MS.</asbestos>
#define F(x) int main(){printf(#x,10,#x);}
F(#define F(x) int main(){printf(#x,10,#x);}%cF(%s))
It came down off Bugtraq at about 9AM this morning. Everyone already knew about it. And, unless you're one of those security-through-obscurity people, you should have no problem with this kind of thing. (It's not like they wouldn't be available to people otherwise...)
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
I'm actually really surprised that holes haven't been already found in these toys.
Change that annoying incomming Email .wav file...
"You've got nailed"
--- Metamoderating abusive downgraders since my 300th post.
This has got the best PR response I've ever seen to one of these holes:
From the Washington Post Story
A security hole in AOL Time Warner's Instant Messenger program used by millions of users worldwide can let a hacker take full control of a victim's computer, according to security researchers and the company.
An AOL spokesman said the problem will be fixed soon, and users won't have to download anything.
Great idea! Why make the user download and test a patch? We can just use this hole that gives us full control of a vitim's computer...
Viv
Gmail invites for ip
Well, the w00w00 guys claim AOL is going to fix it server-side, so if they believe it, I would too. My guess is whatever features that are required to exploit this require some communication through the server to work. If this is the case, its a simple matter of doing buffer checks at the server before they're sent out to the recipient.
Until they do fix it, you can either use AIM Filter or change your preferences so that only people on your buddy list can contact you. Neither is 100% foolproof, but definitely better than nothing.
Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
This is under the mindset that the people who read this will actually be using the exploit, rather then defending themselves from it, which is how I read it. As a user on AIM, I find it very helpful that it was released so that in the one or two days it takes to patch this, I don't get fucked over.
"The non-profit security team w00w00.org..."
Oh, so the 1337 are going the non-profit route? Nice to see that they are going somewhat legit here, but are we going to see mass-defacement support drives once a month looking for donations, a la PBS? Are they going to only release their best exploits during these fund drives? And how much do I have to donate to get reach the benefactor level where I get the "Bill Gates unrestricted Amex card" number as a gift of thanks?
More importantly, did Microsoft "give generously" during the "Here's how to hack AIM" episode of "Sesame Street"?
"Today's Sesame Street was brought to you by the letters M, S, N, and the number 1."
I'd love to see an I-Worm do this! It could scan for words like "Confidential", "payroll", "affair", "fired" and send e-mails to random people with copies of the message.
Marriages would be broken.
Important MS memos would be leaked.
VPs with high salaries would be exposed.
Oh, if I had the balls to write such things...
Zodiac Survey
Why not? Don't you use any?
[*duck*]
hawk, who bought the last pair of quality microsoft products: word 5.1 and excel 4
rooooar
Kinda reminds me of various SF dystopias where the general populace is kept just smart enough to be useful but not enough to be critical thinkers and therefore dangerous to the status quo.
It's already like this. Just look at the government we have now: One which is more worried about banning abortion to produce more babies, instead of enforcing better (and cheaper) birth control. One which is more worried about protecting ourselves from ourselves (read: victimless crimes), instead of letting us learn from our mistakes (or letting evolution sort it out). One which is more worried about getting elected the next term and getting in the pockets of lobbists, instead of passing laws that the people really need.
Just look at our idiotic voters. They are the mediorce masses. They are the ones just smart enough to be useful, but not smart enough to see that they've been screwed. They are the proles [1984], and the future is NOT with them.
Zodiac Survey
Russ Cooper, who moderates a popular security mailing list and works for security firm TruSecure, said Conover's actions are irresponsible. "I think it's better to provide details of the exploit and then let other people write the actual code," Cooper said. "Unfortunately, these are fundamentally naive people with a very childish view of the world."
Hmm. Anyone else sense a little hostility from the for-profit security industry...?
-------------------
This is my SIG. There are many like it, but this one is mine.
A better question is, how can this be redundant when it was the first post with this question? ;)
I don't have time to read everything, just posting my thoughts. Oh well, as if karma matters
Moderation: Put your hand inside the puppet head!
Eg Europe, where reverse engineering is explicitly legal regardless of any terms and conditions the software vendor may seek to impose.
Tested vulnerable back to 4.3 (earliest one available to test). Vulnerability of versions 4.3 is not known; assume that ALL VERSIONS of AIM are vulnerable. (At least if you believe the fine people on Bugtraq).
D'oh.
-30-
I've recently started using trillian (www.trillian.cc [trillian.cc]) for all my IMing needs
Trillian is a Windows app, but it apparently works under Wine.
Will I retire or break 10K?
You can turn that annoying AIM Today window off rather easily; in fact, its always the first thing I do after setting up AIM anywhere.
Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
Passport itself, obviously.
Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
I have stopped using most of the Instant messagers except Odigo now. I like the see others in the website feature and the fact that you have all the others integrated as well is a plus.
http://www.odigo.com
Side note I am in NO WAY affiliated with them. I just happen to like their product.
Razzious Domini
I could be a GREAT KARMA WHORE if I could just shed the few morals I have left.
I am about to expose information that could be used to commit a crime. If this information is improperly used then I and all who have passed on this information can and should be summarily prosecuted according to the Laws Against Spreading Evil Information. But I'll take the chance.
1. Humans are mortal
2. Poking a big hole in a human can kill it
3. Humans are the weak spot in bank security
4. Humans fear having holes poked in them
5. Guns are effective tools for poking holes in humans
6. Pointing guns at humans can get them to do what you want
7. Humans in banks will give you money if you point a gun at them
8. To kill a human quickly, shoot it in the heart or head
9. Explosives are also very effective
My apologies to all for whom this information represents a decrease in personal security. But rest assured, your firewall will continue to function long after your life has drained away.
-- thinkyhead software and media
AIM Filter being the program that, if not a trojan, at least has various remote access abilities.
See the bugtraq archive for more information.
Amusing that its use is recommended in the security advisory.
-Legion
a cool server side fix:
exploit this hole from the main server on all clients, and make them automatically update to the latest version! No users have to download patches this way.
Noticed quite a few mesages exclaiming about trillian already. I love it. It just needs more skins (or I need to learn the differences between the old and new format).
I will venture, rather safely, to say that Trillian is not affected by this exploit. The exploit is in the 'game request' feature in the AIM client for windows, a feature that has not yet been included in Trillian in the first place, and a feature that would obviously use different, hopefully better-bounds-checked code if it were there (since trillian uses its own libraries to do everything, no reliance on AIM).
--onyx--
That bug is old news... I used it for months until I remembered my ICQ password. It's 9 charachters not 15 ICQ doesn't allow passwords greater than 8 characters. While some sites won't allow a password shorter than 8 characters ICQ won't allow a longer one... Nice to see how security conscious mirabilis was and still is now that AOL owns them.
Actually though I think the earliest ICQ implimentations performed the password authentication locally, which is why the 8 character limit on passwords exists in icq.
A 9 character password response meant the authentication was done by the client.
https://www.gnu.org/philosophy/free-sw.html
The story's made CNN: http://www.cnn.com/2002/TECH/ptech/01/02/aol.secur ity.ap/index.html.
Care about electronic freedom? Consider donating to the EFF!
The reverse-engineering clause only applies to technology designed to limit access to a copyrighted work. The DMCA is for protecting digital content. AIM has nothing to do with that.
It's a bad law, for sure, but making false claims about what it covers does NOT help our cause.
It's true that overflows are easy to prevent, by using a modern language like Java or O'Caml that has automatic bounds-checking on arrays. (To a lesser extent the C++ STL can help you with this, but you don't get any guarantees since the language is not safe.)
But I don't agree that it is easy to prevent when you're writing your software in C or C-like C++. In fact, I think C and the typical memory model practically encourages you to write exploitable software. Sure, it's easy to look at a stupid little program and say, yes, that has a buffer overflow problem. But large programs like IIS or even AOL AIM are an awful lot harder to analyze. (Take a look at the IIS overflow again if you think it's easy. This was due to the interaction between two totally different modules, both of which did bounds checking, but assumed that the buffer was large enough to hold twice the amount of data after unencoding. Indeed it was, but not if you unencode twice!)
If it is so easy to prevent, why do we continue to see loads of these kinds of bugs? You might argue that AOL programmers are stupid, and IIS programmers, and wu_ftpd, BIND, perl, quake 3 arena, sshd, (etc. etc.), but I think you'd be left with almost no programmers if you listed all the packages that have had buffer overflows in them. It is C's fault.
Personally, I think it's ridiculous that people still write software that's not at all performance-critical in C and C++. Technology exists (see O'Caml at http://caml.inria.fr/) for making really fast programs that are guaranteed not to have this kind of security hole in them. All that's really needed is toolkits for interfacing with system libraries... (for non-interactive stuff like network daemons there's absolutely no excuse to be using C).
AOL could say "We won't let you on unless you download this update".
It's hard to be religious when certain people are never incinerated by bolts of lightning.
They did wait, AOL ignored them.
We contacted the AOL Instant Messenger group but never received a
response. Normally we would be inclined to provide a fix, but it is
illegal to reverse engineer the AIM executable (DMCA and AIM's license
agreement to thank), so we are unable to provide a patch which will
modify it. Instead, we recommend Robbie Saunder's AIM Filter
(http://www.ssnbc.com/wiz/) to protect yourselves.
Please get the full story before you post shit.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
if you've got Mac OS X - you should get fire
...
:-( and I forget)
http://www.epicware.com/fire.html
works great, and handles AIM, ICQ, Jabber, irc, MSN, and Yahoo.
from the "About Fire" dialogue
Engineering
Eric Peyton
Interface Design
Borrowed from America Online with flourishes courtesy Eric Peyton. Some ICQ ideas taken from various ICQ clones
Icons
Rick Roe, Blake Harris
Fire Enhancements
The following people have made enhancements to Fire
Jason Fosback (jfosback@ubermind.com)
Brian Fitzpatrick (fitz@red-bean.com)
(way too many to list
Underlying Engine (libfaim)
Copyright 1998-1999 Adam Fritzler (afritz@iname.com)
Underlying Engine (icqlib)
http://kicq.sourceforge.net/kicq.shtml
Underlying Engine (libyahoo)
http://www.sourceforge.net/projects/gtkyahoo
Underlying Engine (msn library)
http://www.everybuddy.com
Underlying Engine (firetalk/irc)
http://www.penguinhosting.net/~ian/firetalk/
HTML (AIML) Rendering/Reading Engine
Copyright 1999 Stephen Peters (portnoy@portnoy.org)
Fire.app Written in Objective-C against the Cocoa API's using the underlying libfaim Unix/Linux library written in C, the icqlib source code written in C, and the gtkyahoo source code written in C and C++. I am using the firetalk library in C for irc communication and the msn library was borrowed from everybuddy.
Fire.app is released under the FSF GPL, as are libfaim, micq, and gtkyahoo. If you did not receive source with this version please contact Eric Peyton (epeyton@epicware.com) for the source, or visit http://www.epicware.com/fire.html.
guns kill people like spoons make Rosie O'Donnell fat.
It should be noted that the bug does not, "enable remote users to execute code on any machine logged into the AOL IM service," but is specific to Windows versions 4.3 and newer. They have confirmed that it does not affect Netscape's built in AIM, and assumably alternative OSes and alternative clients are safe. So let me include another shameless endorsement of Fire ;)
"Reality is just a convenient measure of complexity" -Alvy Ray Smith
Instead of calling these things "flaws" or "holes" or "exploits" I recommend a different term.
Call them a "window."
As in, "A window was discovered today into AOL instant messanger."
Has it been over a year since you last donated to the Electronic Frontier Foundation
Also worth mentioning is that Trillian has automatic 128bit encryption between Trillian clients (over AIM & ICQ only).
Got friends?
Information security tends to take a far back seat within the corporate world. Doesn't matter if it is management, administration, or development - infosec is a secondary thought if its even considered.
Part of this is the specialized knowledge required to handle infosec issues (not that it couldn't be widely aquired). It takes a concious effort to implement a secure system. This is often considered additional effort. And additional cost.
Another part of the puzzle is a general disbelief anyone could discover a vulnerability and would bother to take advantage of it. This discounts the number of technically minded individuals your infrastructure is exposed to on the net (compounded by automating attacks). It also ignores that even trivial applications can cause considerable damage (I have some friends working infosec for large corporations who went in to high gear with this announcement - AIM exists in many environments).
Finally, infosec is rarely a consumer requirement. Functionality is what sells widgets. Unless the widget is touted as being secure (even IF its supposed to be secure), security won't sell as many widgets if the widgets don't blink and beep nicely. Thus infosec isues are not pushed during initial development.
So now it gets bloody. Damage gets done. Consumers begin to see how these strange little issues cause them pain. They begin to demand better, more secure products. Product goals begin to include infosec. Better products get produced.
And those who would take advantage of vulnerabilities... quietly and to personal gain (or even loudly and publically) have fewer and fewer targets.
And its possible more attention will be paid to those who build faulty, and ultimately dangerous, data infrastructures. Maybe even legal liability.
to use strncpy instead of strcpy...
Anyway, I like AIM, it's easy for a brain dead code jockey to use. I've got enough rattling around in my head without having to be 31137 at instant messenger applications.
Codifex Maximus ~ In search of... a shorter sig.
You take the statement from the article "This does not affect the non-Windows versions, because the non-Windows versions currently do not yet support the feature that this vulnerability occurs in" and conclude "If other versions did support this feature, they would be subject to this vulnerability".
Let me spell it out in straightforward logic symbols:
let "a" mean "vulnerability affects non-Windows versions"
let "b" mean "non-windows versions implement this game feature"
You take "not a because not b" (That is, "not b imples not a") and conclude "b implies (would imply) a". You have confused the converse with the contrapositive (the contrapositive would be "version xyz is vulnerable to this, therefore I know that version xyz implements the gaming feature").
Now, on to the question as to whether or not this vulnerability is in the protocol itself; this gets into a silly semantic debate that could go on and on with people yelling about definitions. As the AIM protocol has no canonical published spec. to define what it is, we can only assume that the AIM protocol is whatever the official AIM clients do when operating correctly. (For example, we shouldn't expect that the behavior of the AOL client while it is running under a debugger that randomly flips a few bits in memory every few seconds is an example of the AIM protocol)
So - is a buffer overflow the correct behavior? As much as I am inclined to think ill of the AOL/TW behemoth, I doubt that they intended their users' machines to be wide open to script kiddies everywhere.
That doesn't make any sense, either. The DMCA does not prevent you from reverse-engineering software and making or distributing patches, UNLESS that software controls access to a copyrighted work, which AIM does NOT.
People really need to get their facts straight about the law or we are going to be totally incoherent when we try to challenge it (or convince our friends and family that it is bad).
Well, you all are missing my point. I know there's better ways to implement a backdoor, and I know that the Microsoft problem was completely different, but it had the same end result, someone could remotely control another person's computer. Yeah, exploiting a buffer overflow isn't the prettiest way to do it, but I wasn't trying to get into the details of the matter, just the premise that companies might intentionally do something like that on purpose.
~ now you know