Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

AIM Password theft SUMMARY

From: Mark Coleman <markc () uniontown com>
Date: Wed, 24 Sep 2003 12:14:27 -0400
There are two basic FACTS that I am certain of after tracking and documenting this successful theft of these AIM accounts.
First, it was certainly a MS IE hole that allowed the passwords to be recovered from the registry. The trust in the AIM "buddy list" was the delivery mechanism to coax users to visit the malicious web page.
Second, AIM isn't completely innocent in this because there remains an issue with users in this department being unable to regain control of their AIM accounts. From what I have concluded, there were TWO basic problems on the AIM side as well:
1) The hacker or script was able to somehow change their passwords (all users who were affected) to the letter "a" followed by 3 or more full lines of whitespace. This still prevents the users from having access to their AIM accounts, and their complaints to AOL have yet to be answered. They must enter a password to do anything except "retrieve password", and the retrieved password is the "a" with the whitespace, which is unusable. I have not examined the AIM method to change password, this might be as simple as replacing data in a submit string that AOL doesn't parse properly.
2) It appears from the AIM email that a request to change the email address associated with an AIM account defaults to "accepted" unless replied to. If this is true, it is certainly bad practice at the very least. The users WERE able to re-assign their correct email addresses back to their own account by replying to the notification email to NOT proceed with the email address change. This fact and the header evidence is why I believe this to not be a forged email, and that this is the standard policy for AIM. Here's the blurb from the email: 
---------------------------------------
If you DO NOT wish to make this change, PLEASE REPLY to this e-mail and type 'OK' as the text of your message. If we receive your reply within 72 hours the change request will be canceled.If you want this change to take place, you can ignore this e-mail. Instead, go to your new e-mail address and confirm the e-mail we are sending there. Only reply to this e-mail if you do not want to change your AOL Instant Messenger e-mail address. 
Thank you for using the AOL Instant Messenger(SM) service.
---------------------------------------
Further, there have been several direct emails to me (THANK YOU ALL) with theories of which specific IE hole was used. One or two have cited this one: 

http://lists.insecure.org/lists/bugtraq/2003/Sep/0026.html
...that is reportedly still unpatched, while the majority of others have cited this: 

MS03-032: August 2003 Cumulative Patch for Internet Explorer

http://support.microsoft.com/default.aspx?scid=kb;en-us;822925
Although I didn't dissect the scripts, I believe the latter because there were several members of my department (aka patched with MS03-032) that received the solicitation via AIM from their compromised buddy in the unpatched department, who visited the www.haxr.org page, and were NOT compromised as of today, while several users in the opposite department who were all unpatched were compromised. I realize that this isn't proof but I consider it strong enough evidence that the MS03-032 issued Aug 20th prevented the script in the web page to successfully forward the username/password from the registry for the users who were patched on my side. I have zero compromised users in my own department.
When I have the time, I will likely sniff and watch both patched and unpatched machines visiting the web site and see what happens.
I am considering this issue closed, concluding that the remedy is to patch with MS03-032.
I WOULD LIKE TO THANK ALL WHO CONTRIBUTED TO MY PLEA FOR ASSISTANCE, both through the list and direct, your responses were greatly appreciated. 

-Mark Coleman
Please note that this is my personal email address, none of the above activities or events occurred on the network or hosts providing service for this email account. 



---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: