what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

aolDoSateim32.txt

aolDoSateim32.txt
Posted Jun 20, 2005
Authored by SP Research Labs | Site security-protocols.com

AOL Instant Messenger (AIM) buddy icon ateimg32.dll is susceptible to a denial of service vulnerability.

tags | advisory, denial of service
SHA-256 | ea1e1cb8f0ff32a23f3b0a3fd57f507e2e71f6162b20d3672552779e348e3e75

aolDoSateim32.txt

Change Mirror Download
AOL AIM Instant Messenger Buddy Icon "ateimg32.dll" DoS

Release Date:
June 6, 2005

Date Reported:
June 6, 2005

Severity:
Medium? (if you can exploit it, email me. ;-])

Vendor:
AOL

Systems Affected:
AIM 5.9.3797 for Windows 98/ME/2K/XP (5.96 MB) and all prior versions.

Affected Platforms:
# Windows

Overview:
A denial of service (its on the heap) vulnerability exists within the
AOL AIM instant messenger. Here is a description of AIM from the vendor:

"Enjoy the convenience of using your AIM screen name as your e-mail
address-and take advantage of new and improved features, like:
• Spam and Anti-Virus Protection: Industry-leading security tools help
keep your mailbox free of annoying junk mail and harmful viruses."

Security? Anti-Virus? nice... ;-]

Technical Details:
The vulnerability exists within the GIF parser in "ateimg32.dll". Below
are the details regarding this flaw:


The vulnerable exists within the GIF parser. You can see at the address
12081BDB, they set ebx with an argument supplied in the last argument:

.text:12081BDB mov ebx, [esp+arg_C]
.text:12081BDF test ebx, ebx
.text:12081BE1 jbe short loc_12081C1A
.text:12081BE3 mov ecx, [esp+arg_8]
.text:12081BE7 push esi
.text:12081BE8 push edi
.text:12081BE9 mov edi, [esp+8+arg_4]

Here is what the function declaration would look like:

unk_func(

struct aim_1 *arg_0,

struct aim *arg_4,

char *dest_buff,

int obj_cnt)

{

The last argument is a count. This routine appears to copy each entry
out until is done. Each iteration fo the loop obj_cnt is subtracted by
one. At 12081C13 you can see the dec ebx:

.text:12081C13 dec ebx
.text:12081C14 mov ecx, esi
.text:12081C16 jnz short loc_12081BED
.text:12081C18 pop edi
.text:12081C19 pop esi

This is basiclly a obj_cnt--; then you see the jnz. This means that the
counter isnt zero, then it jumps back up and does it again. Which would
kind of look like this:

while(1)

{

...

memcpy(...);

...

obj_cnt--; //decrement counter

if(!obj_cnt) //equal to zero

break; //leave loop

}


Now if the obj_cnt argument is zero, is when we have the problem. When
you subtract 1 from 0 you get -1. ;-] So, if im correct -1 is really
0xFFFFFFFF. So it only can can set 0-1=0xFFFFFFFF chunk, where per chunk
is only 30 bytes. ;-(

If you want to crash a remote host which is running the AIM client, use
the following .gif file as your buddy icon in Trillian and message a
friend which is using the AIM client:

http://security-protocols.com/poc/aim-DoS-.gif
or
http://fux0r.phathookups.com/aim-DoS.gif

Or, you can reproduce this problem just by using this buddy icon in AIM
locally.

Protection:
Dont use AIM~!

Vendor Status:
Im sure they will be releasing a patch very shortly.

Credit:
Discovery: Tom Ferris

Related Links:
www.security-protocols.com
www.eeye.com

Greetings:
chico the dog, connie, acidjazz, NiN, ,hugo the puto, jim beam, mike p,
flashsky, regulate, 011ie, mike in .mx, riley, modify, dmuz (call it a
truce?), ae, marc, and the rest of the eEye family.

Copyright (c) 2005 Security-Protocols.com

--
Tom Ferris
Researcher
www.security-protocols.com
Key fingerprint = 0DFA 6275 BA05 0380 DD91 34AD C909 A338 D1AF 5D78

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close