Vulnerability Development mailing list archives
Re: AIM Exploits
From: "VeNoMouS" <venom () phreaker net>
Date: Sun, 7 Oct 2001 17:34:50 +1300
becos your talking bout sending a lot of font requests , which is basicly <!-- if you think bout it, hell it could be XXXXXX for all it cares, its a bof (buffer overflow) on its input by the looks of things ----- Original Message ----- From: First Last <ihost () excite com> To: VeNoMouS <venom () phreaker net>; <vuln-dev () securityfocus com> Sent: Sunday, October 07, 2001 5:13 PM Subject: Re: AIM Exploits
how is the font crash anything like the <!-- exploit, besides the fact
that
it uses html? maybe you misunderstood, after you overload the font buffer aim uses, sending a horizontal line will crash the client... On Sun, 7 Oct 2001 16:12:11 +1300, VeNoMouS wrote: i dont think your very clued on anything here my friend, > 1) Font Crash: windows aim stores recent font > names for instant messages, and i found that by > sending a lot of different fonts causes aim to pop up > with a font error, and after messing around i > discovered that lines "<HR>" crash the client (and in > some cases the OS) after the error has popped up, > making for a neat little crash if you send a few > hundred fonts with a horizontal line tacked on the end > =) this here sounds like the dos we have been talking about except its just <-- its a bof just like the line below > 2) File Crash: i'm not quite sure why this crashes the > client, but if you send a file with a very large filename, > the client crashes, and just closes on any nt based > OS well oviously they are coping the filename to an array which is only a certain size, its a simple out of bounds overflow ----- Original Message ----- From: Robbie Saunders <ihost () excite com> To: <vuln-dev () securityfocus com> Sent: Sunday, October 07, 2001 8:07 AM Subject: AIM Exploits > as a starter i'd like to correct some information about > the comment crash, the reason you can't paste it is > because it crashes the client, not because it's too > big... if it was too big you wouldn't be able to send it > an im. and it's been on aim filter and used by your > average aim user since early august > > the following exploits were found and implemented by > Robbie Saunders, although i believe the file crash > was used before me by `CodeDreamer` > > 3 other exploits: > 1) Font Crash: windows aim stores recent font > names for instant messages, and i found that by > sending a lot of different fonts causes aim to pop up > with a font error, and after messing around i > discovered that lines "<HR>" crash the client (and in > some cases the OS) after the error has popped up, > making for a neat little crash if you send a few > hundred fonts with a horizontal line tacked on the end > =) > > 2) File Crash: i'm not quite sure why this crashes the > client, but if you send a file with a very large filename, > the client crashes, and just closes on any nt based > OS > > 3) Icon Crash: aim doesn't check incoming buddy > icons to be under a certain height or width, so you > can send an edited .gif file that may be 1k but claims > to be very large (such as 10000x10000) and end up > freezing the aim client for a large period of time, and > on slow computers cause serious memory issues... i > have tested with larger values (like 65kx65k) but it > appears aim will pop up a memory buffer error > instead of crashing... and apparently sending corrupt > wav files will crash the client in the same manner > > If you're on windows you can use the software i > created to exploit these bugs (AIM Filter), it can be > found at http://www.ssnbc.com/wiz/ in software>aim > > aim filter is a local proxy that acts as both a server > and client, meaning you can implement the > crashes/features no matter what aim client you're on > (and it's easy to use too, just type commands like > aim.file.crash) _______________________________________________________ http://inbox.excite.com
Current thread:
- AIM Exploits Robbie Saunders (Oct 06)
- <Possible follow-ups>
- Re: AIM Exploits First Last (Oct 07)
- Re: AIM Exploits VeNoMouS (Oct 07)
- Re: AIM Exploits First Last (Oct 07)