Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

AIM Remote File Transfer/Direct Connection Vulnerability

From: Sil <sil () linuxquestions net>
Date: 21 Apr 2002 00:18:57 -0000


AIM Remote File Transfer/Direct Connection 
Vulnerability

I Discovered this vulnerability while I was port 
scanning my brother(April 15th, 2002), he just 
happened to send me a file and the port scan 
connected and received the file instead of me... The 
next day(April 16th, 2002) I made a program to exploit 
the vulnerability. This is how the vulnerability works....

When AIM gets a connection request or tries to 
connect to someone else it acts as a server, the 
program I made rapidly tries to connect to the target 
IP(every 450 milliseconds) on port 4443(Direct 
Connection) and 5190(File Transfer) it then intercepts 
the connection and steals whatever data the target 
sends, they can receive text from their "friends" but 
they cannot send it because all data they send gets 
sent to you, I don't know the Oscar protocol, but I'm 
sure that if you where to use it, you could send text 
back to the IM as the "friend" or maybe as a fake 
screen name, this could be used to trick the person 
into giving you passwords or personal information, 
even if the person just happened to send something 
like "passwords.txt" to their "friend", you now have 
those passwords. 

The fix:
I think a fix would be simple, have AIM only connect to 
the IP of the person they are trying to connect to 
which would be retrieved by the AIM server(s), I 
wouldn't doubt there being ways to exploit this 
also..but it's a start.
A temporary way to protect from the file transfer spy 
would be to change the port in the AIM preferences 
dialog for file transfer to something other than 5190, it 
would be pretty hard for someone to guess what port 
you changed it to.

Data you could potentially "steal":
pictures, files, text, passwords, movies, personal 
information, etc...

Well that concludes this article..., if you have any 
questions or comments please feel free to contact 
me.

(One last note: I am still fixing bugs and trying 
different things with the program, but when I am 
happy with it, I will post it on my site, it is called 
RAFTS which stands for Remote AIM File Transfer 
Spy)

-Joseph Musso a.k.a. Sil
www.silenttech.com
aim screen name: xlsillx
email: sil () linuxquestions net
Previous By Date Next
Previous By Thread Next

Current thread: