AIM Exploits
Date: 6 Oct 2001 19:13:52 -0000
From: Robbie Saunders <ihost@excite.com>
To: bugtraq@securityfocus.com
Subject: AIM Exploits
thanks to BlueJAMC for his post,
as a starter i'd like to correct some information about
the comment crash, the reason you can't paste it is
because it crashes the client, not because it's too
big... if it was too big you wouldn't be able to send it
an im. and it's been on aim filter and used by your
average aim user since early august
the following exploits were found and implemented by
Robbie Saunders, although i believe the file crash
was used before me by `CodeDreamer`
3 other exploits:
1) Font Crash: windows aim stores recent font
names for instant messages, and i found that by
sending a lot of different fonts causes aim to pop up
with a font error, and after messing around i
discovered that lines "<HR>" crash the client (and in
some cases the OS) after the error has popped up,
making for a neat little crash if you send a few
hundred fonts with a horizontal line tacked on the end
2) File Crash: i'm not quite sure why this crashes the
client, but if you send a file with a very large filename,
the client crashes, and just closes on any nt based
OS
3) Icon Crash: aim doesn't check incoming buddy
icons to be under a certain height or width, so you
can send an edited .gif file that may be 1k but claims
to be very large (such as 10000x10000) and end up
freezing the aim client for a large period of time, and
on slow computers cause serious memory issues... i
have tested with larger values (like 65kx65k) but it
appears aim will pop up a memory buffer error
instead of crashing... and apparently sending corrupt
wav files will crash the client in the same manner
If you're on windows you can use the software i
created to exploit these bugs (AIM Filter), it can be
found at http://www.ssnbc.com/wiz/ in software>aim
aim filter is a local proxy that acts as both a server
and client, meaning you can implement the
crashes/features no matter what aim client you're on
(and it's easy to use too, just type commands like
aim.file.crash)
