Update on the AOL buffer overflow exploit

[smiths () TIAC NET (Richard M. Smith)]

Hello,

I wanted to give an update on the buffer overflow error in
the AOL Instant Messenger client software that Robert Graham
reported to BugTraq last week.  Apparently AOL is using this
buffer overflow error  to determine if someone is running the
AOL client software versus the Microsoft MSN
Messenger client software.  MSN Messenger users are then
refused service on the AOL system.

The buffer error is used as follows.  During the AIM logon sequence, the
AOL servers now send down a packet to a client machine
with about 40 bytes of x86 code in it.  This code gets executed
by the client because the packet also exercises the buffer overflow
bug.  The downloaded code causes the client to send back a secret response
to the AOL servers.  If the servers don't see this response, they
then bounce the user under the assumption the client software
must be MSN Messenger.

It only took Microsoft a few days to see what was
going on and they have updated the MSN Messenger client
software to recognize the special packet and response in
the same manner as the AOL client.  However, MSN isn't using
a buffer overflow error to make this happen.

Presumably with this buffer overflow error, AOL can download
new x86 code in the future which generates different responses
from the client.  If this way, the can constantly stay a few days ahead
of Microsoft in this game of "spy-vs-spy".

Geoff Chappell has a done a detailed analysis of the AIM IM code
and has located the actual bug.  His write-up on the bug can be found
at these two URLs:

   http://www.ozemail.com.au/~geoffch/security/aim/
   http://www.ozemail.com.au/~geoffch/security/aim/preliminary.htm

He also provides details on how the special AOL packet is executed
by this buffer overflow error.

On the AOL side of things, they continue to publicly deny anything
is amiss here.  In press articles they either claim there is no buffer
overflow error in the client software or that they are not doing
anything to compromise the security of their AIM customers.

I respectively disagree.  Buffer overflow exploits are very
difficult to get right and small slip-ups can cause computers
to crash.  If AOL continues to play this game, they risk
crashing customers PCs on a large scale down the road
as they change the code which is executed by the client.

It also makes me personally very queasy to know that
there is network software on my computer that allows outsiders
to silently download and run code.  Buffer overflow errors should
be fixed, not used!

(As an aside, does anyone know of a previous case in
which a computer vendor ever used a buffer overflow before?
AOL actions here might be a first.)

On the Microsoft side of things there is a bit of news also.
This AOL buffer overflow story began two weeks
ago when I received a message from a person claiming
to be "Phil Bucking" from "Bucking Consulting".  The
message was sent via Yahoo Email and detailed what
AOL was up to.  "Phil" claimed he found out what is
going on because he is also writing IM client.    What "Phil" didn't
realize is that Yahoo puts the originating IP address
in the message headers.  The IP address in his message
traced back to a HTTP proxy server at Microsoft.  This
implied that the message came from inside of Microsoft.
According to an article in InfoWorld on Friday,
Microsoft has acknowledged that "Phil" is actually a Microsoft
employee.  Moral of the story: Don't use Web-based Email
systems like Yahoo and Hotmail for anonymous Email!

I am continuing to look at this issue myself.  My AOL screen name
is "buffover" if anyone wants to me add me to their
buddy list. :-)

I also very much would like to talk to a technical person at
AOL about the exploit to hear their side of the story.

Richard M. Smith