Slashdot Mirror
AOL's AIM Exploits Buffer Overflow On Purpose
Scott Hutton writes "CNN is carrying a story that states that AOL is exploiting a buffer overflow in their own client in order to detect and lock out Microsoft AIM clients. That's the first time I've seen someone use a buffer overflow to 'enhance' security."
I had to re-read the article several times to figure out what they were trying to report. Even now, I'm not sure I understand what the issue is.
As I interpret the article, the AOL *client* is sending 256 bytes (the expected amount) followed by 24 bytes. This is somehow supposed to overflow the buffer on the AOL *server*. The AOL server detects the extra bytes and knows that it is an AOL client.
Extra data not in the spec is NOT the same thing as a buffer overflow exploit. If the server wants to see those 24 bytes it is NOT a buffer overflow. It's simply an omission from the specification.
If this is how things work, the "buffer overflow bug" is on the server side, not the client side.
In this case, suggesting that the AOL client has a "buffer overflow bug" is misleading. Implying that the bug somehow compromises security for users of the AOL client is malicious deception. The client is *sending* extra data, not receiving it.
I don't want to suggest that anyone is trying to create hysteria by misusing the term "buffer overflow". We all know that the phrase "buffer overflow" is a sure way to get the attention of security folks.
As I read the article, though, it's just 24 extra bytes being sent to the server. If the server expects it and handles it, it's hardly a security issue. Are those 24 bytes actually writing into executable memory with a jump instruction? I find that hard to believe.
Or maybe I just missed something in the article....
Save the whales. Feed the hungry. Free the mallocs.
Well, AOL would get that server shut down promptly. MS could keep putting up more servers "without their knowledge," but they'd have to keep releasing new versions of their client to connect to the new proxies (or their users would have to keep reconfiguring the clients to use different proxies). For the long term, it'd be unworkable.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
I *thought* that the original article didn't make much sense.
:)
Moderators, I know you can determine the quality of posts without my help. If I had the power, though, I'd be bumpin' this one up a few notches.
Save the whales. Feed the hungry. Free the mallocs.
...expecting accuracy and facts and stuff. Another poster put up an article with some analysis.
:)
Now I'm going to spend all night reading flames from people who were smart enough to skip the article.
Save the whales. Feed the hungry. Free the mallocs.
An earlier story on Slashdot, MS Dirty Pool Against AOL, referenced a sv.com article which claimed that this buffer exploit was a rumor floated by an MS employee. It would appear that either the CNN or sv.com article or the is factually incorrect and that some people have some apologizing to do.
--
"L'IT c'est moi!"
I'm surprised AOL hasn't implemented a fairly easy method of stopping non-authorized clients. They could merely take a small (15x15 pixels or something) BMP of a trademarked logo (such as the AOL logo), and use it as a "key" to access the servers. Official AIM clients would transmit this logo to the servers for authentication, but Microsoft could not implement that in its client without being sued for trademark infringement. AOL could then authorize gaim and the other non-Windows AIM clients to use the logo free of charge, so they wouldn't be inconvenienced, and AOL would retain its control of the Windows clients, keeping Microsoft out.
This method works, and has legally been tested, as this is the method Gameboy uses to keep non-licensed developers from writing Gameboy games. If a game doesn't have the gameboy trademarked logo at the beginning of its ROM, the Gameboy refuses to play it.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
To my knowledge, all of the AIM alternatives (other than Microsoft's) use the TOC protocol, which is a simplified, open (at least, it used to be open), and slightly crippled version of the OSCAR protocol that AIM and Microsoft use. It's actually lots of fun to play with, writing little Tcl scripts to automate IMing and stuff...
But Tik and GAIM users should be thankful that Micrsoft went to the trouble of reverse-engineering OSCAR instead of just using TOC, because if they had, I'm sure TOC would be gone by now.
MSK