[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Windows AIM Client Exploits
From:       Robbie Saunders <ihost () excite ! com>
Date:       2001-12-30 23:56:47
[Download RAW message or body]



i have generated a list of exploits that can be used to 
cause an illegal operation on windows aim clients

1. Comment Crash - anyone remember that neat little 
exploit that involved a large amount of html comment 
headers "<!-- "? to fix it they configured the server to 
ignore instant messages over 2550 characters 
instead of the previous 7950, making it seemingly 
impossible to send the long string, but it turns out you 
can send the full string in a chat invite message.

2. Long Name Crashes - any kind of "extra" features 
involving names (file names, game names, buddy list 
names, etc.) can be used to crash the remote aim 
client by sending an unusually long name (like 6000 
#'s for example)

3. Font Buffer Crash - by sending lots of different 
fonts in an im or two you can fill up aim's recent font 
name buffer which disables all "new" html codes (any 
html header that the client hasn't already used in the 
open im window). for example, links turn up as 
normal text and new fonts are converted to the 
default font. it seems aol miscoded something and 
sending a horizontal line "<hr>" causes the client 
crash after you fill up the font buffer

4. Large Buddy Icon Crash - you can freeze 
someone's computer for a short (or long) amount of 
time by sending someone a small .gif file edited to be 
very large (like 10,000x10,000) as a buddy icon

5. Future Problems? - sending an invalid chat url in a 
chat invite (like using two !'s instead of one) causes a 
blank modal to pop up, sending the character &#8211; (150) 
gives the remote aim a neat little font error, and you 
can send image headers (and maybe images) in 
game invites

i have updated my aim filter software to use and 
block the above exploits, and it can be downloaded at 
http://www.ssnbc.com/wiz/

<all exploits were discovered by or largely contributed 
to by robbie saunders>

[prev in list] [next in list] [prev in thread] [next in thread]