 | ||||||
| << Previous | INDEX | Search | src | Set bookmark | Go to bookmark | Next >> |
| ||||||
| |||||||||||||||||||||
Date: 30 Dec 2001 23:56:47 -0000 From: Robbie Saunders <ihost@excite.com> To: bugtraq@securityfocus.com Subject: Windows AIM Client Exploits i have generated a list of exploits that can be used to cause an illegal operation on windows aim clients 1. Comment Crash - anyone remember that neat little exploit that involved a large amount of html comment headers "<!-- "? to fix it they configured the server to ignore instant messages over 2550 characters instead of the previous 7950, making it seemingly impossible to send the long string, but it turns out you can send the full string in a chat invite message. 2. Long Name Crashes - any kind of "extra" features involving names (file names, game names, buddy list names, etc.) can be used to crash the remote aim client by sending an unusually long name (like 6000 #'s for example) 3. Font Buffer Crash - by sending lots of different fonts in an im or two you can fill up aim's recent font name buffer which disables all "new" html codes (any html header that the client hasn't already used in the open im window). for example, links turn up as normal text and new fonts are converted to the default font. it seems aol miscoded something and sending a horizontal line "<hr>" causes the client crash after you fill up the font buffer 4. Large Buddy Icon Crash - you can freeze someone's computer for a short (or long) amount of time by sending someone a small .gif file edited to be very large (like 10,000x10,000) as a buddy icon 5. Future Problems? - sending an invalid chat url in a chat invite (like using two !'s instead of one) causes a blank modal to pop up, sending the character – (150) gives the remote aim a neat little font error, and you can send image headers (and maybe images) in game invites i have updated my aim filter software to use and block the above exploits, and it can be downloaded at http://www.ssnbc.com/wiz/ <all exploits were discovered by or largely contributed to by robbie saunders>
| |||||||||||||||||||||