AOL Instant Messenger Remote Hole

The DSL Guy writes: "The non-profit security team w00w00.org started off 2002 by uncovering a serious flaw in AOL's Instant Messenger protocol. With over 100 million people registered on the AIM service, this vulnerability poses a serious security risk for Internet users worldwide. This flaw can enable remote users to execute code on any machine logged into the AOL IM service. "So easy to hack, no wonder it's number one!" Details can be found at the w00w00 site."

How to protect yourself

For those who didn't bother to read the article:

We recommend Robbie Saunder's AIM Filter (http://www.ssnbc.com/wiz [ssnbc.com]) to protect yourselves. A temporary solution is to go into your Preferences and in the Privacy section click "Allow Only Users on My Buddy List" under "Who can contact me."

You have mail!

...and now everyone has your mail!

Re:Why not wait a day?

Given that the message states AOL will do a server side fix in a day, why not wait ONE DAY before releasing the exploit details.

Perhaps the former was a result of the latter? There's a concept called "lighting a fire under their ass".

Re:Why not wait a day?

Perhaps the former was a result of the latter? There's a concept called "lighting a fire under their ass".

Can someone please explain to me the moral or ethical mandate that supports/justifies this sort of vigilante thinking? Consider the following off-line scenarios, which to me seem equivalent (someone correct my thinking):

• A test mode is discovered in a popular residential/commercial building security system whereby anyone can enter such a building by punching in a certain 23-digit code into the alarm keypad. w00w00 drives around town and posts a picture of the affected keypads and the first 21 digits of the code.
  
• Certain model year GM vehicles' security systems can be foiled by holding down multiple chiclet keys at once and inserting a metal object into the driver's side door keyhole. w00w00 cruises local mall parking lots, opening the doors of random vehicles, putting a bulletin about the problem on the driver's seat, closing the door, and fleeing.
  
• A template and generating function for test AT&T calling card numbers is discovered that permits anyone with the two to make free calls. w00w00 publishes the information.
  

All of these actions could have theoretically been done in the name of improving security but in the short-term all they do is recklessly endanger it.

These actions wouldn't fly in the real world without legal repercussions. And how can you claim that they are done in the interest of the public when so much anonymous public damage could result in the short-term? Is there anyone out there who really believes this isn't being done to take a stab at big corporations for big corporations' sake, by individuals who thrive in the gray area of the law?

There is at least one long-term upside to w00w00's actions, though. Their actions will hasten the approval of legislation which makes online reckless endangerment as criminal on the Internet as it is in your neighborhood.

Re:Why not wait a day?

it's different because you can't download a new keypad for your security system or car, but you can easily download and apply a patch for a program. it's a matter of distribution.

additionally, in your analogy, for each poster up on the telephone pole, they would have included a box full of replacement keypads (or whatever) to fix the problem; w00w00 did list a place to download a proxy that will serve as a temporary fix. it's allowing people to be able to make the decision to protect themselves, instead of being subject to the whims of Big Bad Corporation X's product life cycle.

just the old regulated security VS. freedom debate.

Re:Why not wait a day?

Actually, I don't hate Microsoft products, just their practices and abhorrent licensing shenanigans. In fact, I use WinNT, Outlook, IE 5.5 and the rest of the Office 97 suite alongside Gimp, Apache, Perl, NMap, and WGet.

I am not an OSS zealot although I do dual-boot Mandrake.

I hate AOL because of their incredibly asinine advertising! "Everyone I know is on my Buddy List!" Maybe it's time for more friends! I used AOL 3, 4 and 5 at work and at home and despised the branding tricks and limitations on the Internet experience.

I also loathe the way it seems (my perception - may not reflect reality) they feel their users need a prepackaged community because they're simpletons who don't need a better, deeper Internet experience. Kinda reminds me of various SF dystopias where the general populace is kept just smart enough to be useful but not enough to be critical thinkers and therefore dangerous to the status quo.

GTRacer
- Equal-opportunity company basher!

Info on AIM protocol

Since we all know the holes won't stop here, anyone who wishes to further investigate problems can start their research here [aol-files.com] and here [aol-files.com].

Re:Info on AIM protocol

Well, you can research the protocol all you want, but it is the client application that is the problem here. Now maybe the protocol makes security an issue when used correctly, but still it is up to the client developer to introduce the feature in a non-safe way.

not any machine

...only windows machines. get your facts straight.

This does not affect the
non-Windows versions, because the non-Windows versions currently do
not yet support the feature that this vulnerability occurs in.

Re:Warnings

One of ICQ's was a login buffer overflow. Basically if you used licq or a NON-Mirabilis version, you could login as anyone just by using a password longer than 15 chars (IIRC).

Ok so I used it once to send two of my coworkers homo "I like to watch your ass" emails from each other...

Most of the writeup bashes the DMCA

The guy spends most of his time bashing the DMCA and how hard it makes to offer patches to this sort of thing without AOL's permission:

From the NTBugtraq letter:
First, the Digital Millenium Copyright Act affects circumvention of anti-piracy mechanisms and reverse engineering. If a product is released in binary form only (i.e., AOL) to protect its technologies and one attempts to reverse engineer the file, it's a violation of the DMCA. It's no question who the lobbyists behind this law were: the big corporations. Not surprisingly, AOL Time Warner was one of the DMCA's biggest supporters. Find out more information about the DMCA at http://www.anti-dmca.org.

Better Link

http://www.w00w00.org/advisories/aim.html [w00w00.org] is a better link.

Hey, if you guys want open-source IM, check out http://www.jabber.org [jabber.org] The server is open-source and it's a distributed XML-based network. Lots of different, cool clients too. JabberIM for Windows, and Gabber for Linux are the most mature ones though. There are bridges to the AIM and ICQ networks available on some servers, but the ones on Jabber.org have been blocked by AOL... nice huh?

Re:Better Link

I think the MSN and Yahoo transports on the Jabber.org server has been working reliably for some time.

For ICQ and AIM, you can probably find some lesser-used Jabber servers with the transports active, and not blocked. JabberView.com has a small list of other servers.

Me, I just use my Jabber.org account, but cross-link to transports on other servers that actually work.

Of course, you can run your own server and transports. Heck, you could even do it on your own box if you want to. Just run icq.localhost and aim.localhost along with jabberd localhost, but still use your user@jabber.org or whatever as your main Jabber account. It's easy to do.

Yet another reason

I stopped using ICQ years ago because it was so script-kiddie friendly and AIM not long after. I'm quite happy using Jabber [jabber.org] with a gateway to Yahoo Messenger, thankyouverymuch.

Abstract Error

The abstract for the article is in error: it reads, "The non-profit security team w00w00.org started off 2002 by uncovering a serious flaw in AOL's Instant Messenger protocol... This flaw can enable remote users to execute code on any machine logged into the AOL IM service.". The flaw isn't in the protocol itself but in the client, and therefore doesn't actually affect "any machine logged into the AOL IM service". It sounds like AOL is going to prevent the sending of exploit packets at the server level to avoid requesting all of their Windows users to upgrade, but those of us using Linux or another OS should be fine regardless.

AIM will always be a problem

ALWAYS, if the protocol isn't openly documented and severely tested over a communications line for security it is insecure.

I recommend the majority of people I deal with use jabber (this is not some plug for jabber; it's just at the end of the day, it's more secure and yet accomplishes the same goal AIM etc etc have)

If you are using AIM, do yourself a favor a pickup a jabber client, you won't be sorry.

Now they need a sound to go with their IM

How about the "you got mail" dude do one that says "j00 g0t 0wN3D"!

One of Many Instant Messenger Exploits (MIME for short), I'm sure.

{if you are going to assinate a Mime, would you use a silencer?}

Bug in the implementation, not the protocol

The non-profit security team w00w00.org started off 2002 by uncovering a serious flaw in AOL's Instant Messenger protocol.

The problem is in the implementation, not in the protocol. If it were in the protocol, that would make all clients at risk. As it is, only the official Windows client is vulnerable, because it implements game requests without checking for buffer overflow. I really don't understand why people still write code this way -- buffer overflows are so easy to prevent.

Somewhat (but only somewhat) offtopic: why on earth doesn't ./ at leas browse through the links they post? It's not like they don't have the manpower. If they'd even looked at the article, they'd have caught this...

It couldn't be...

It couldn't be, because
AOL is deeply committed to your security. We use state-of-the-art technology to keep your personal information as secure as possible. We also have put in place privacy protection control systems designed to ensure that the personal data you share with AOL is safe and private. In addition, AOL keeps your password strictly confidential, and all authentication for the Service is performed on AOL's secure servers. Sites participating in the Service may not collect or store AOL password information.

From this site. [aol.com]

Trillian

I've recently started using trillian (www.trillian.cc [trillian.cc]) for all my IMing needs... (yes, it does connect to the AIM server, among others such as MSN messenger, yahoo, and ICQ) I'm assuming it probably doesn't have this flaw, which is obviously a nice feature. And as far as I know, it's the only really solid alternative to a) having a billion separate IM programs b) using hated AOL software.

Re:Trillian

Well, there's always Everybuddy [everybuddy.com], which I used for a while. I never used the non-AIM services much though, so these days I've reverted to Gaim [sourceforge.net]. It has support for ICQ and other protocols (MSN, Jabber, IRC, Zephyr, ..?), but I've never tried it myself.

Daniel

Re:Trillian

Jabber is great except for four very pesky problems:

1) You have to connect to a Jabber server
2) You have to find a Jabber server that is running all of the message protocols you want/need
3) Most servers are run by regular people, and they're not always on when you want/need them.
4) Your buddy list is stored server side, so you can not easily move to another server. If your sever goes down you'll have to recreate your entire buddly list on a new server if you want access.

Trillian, on the other hand, connects to the chat providers native servers and uses XML as a translation mechanism on the client side. The chances of Yahoo's chat server, AOL's chat server, ICQ's servers, or MSN's chat servers going down is very very slim. I used to use Jabber but gave up in frustration when the server I used disappeared for over a week.

Gaim and TOC

well, here's yet another reason to be using TOC (as opposed to Oscar, the newer of the two AIM protocols.) TOC is/was an open protocol, and i've had very little problem with it. admittedly, it doesn't have all the "features" that Oscar has, but if all you want is chat, and you don't care a whole lot about file transfers, et al. TOC is more than sufficient. plus, unlike Oscar, AOL doesn't seem to arbitrarily change the protocol. And it seems to be more stable, server-side. I've had countless instances of hearing the dispaired cries of "AIM is down" from throughout my dorm without having a problem. TOC goes down occasionally, but not nearly as much, from my experience.

as for clients, i recommend Gaim for Linux. You can select the TOC protocol in the Account Editor window.

<asbestos>yes, i know there's a million things that Oscar can do that TOC can't. but I don't care. TOC just works better from my experience, especially when clients have to release new versions to work around AOL changing the Oscar protocol slightly in order to screw over MS.</asbestos>

Heh... first hack...

Change that annoying incomming Email .wav file...

"You've got nailed"

Best PR Spin

This has got the best PR response I've ever seen to one of these holes:

From the Washington Post Story [washingtonpost.com]

A security hole in AOL Time Warner's Instant Messenger program used by millions of users worldwide can let a hacker take full control of a victim's computer, according to security researchers and the company.

An AOL spokesman said the problem will be fixed soon, and users won't have to download anything.

Great idea! Why make the user download and test a patch? We can just use this hole that gives us full control of a vitim's computer...

w00w00?

"The non-profit security team w00w00.org..."

Oh, so the 1337 are going the non-profit route? Nice to see that they are going somewhat legit here, but are we going to see mass-defacement support drives once a month looking for donations, a la PBS? Are they going to only release their best exploits during these fund drives? And how much do I have to donate to get reach the benefactor level where I get the "Bill Gates unrestricted Amex card" number as a gift of thanks?

More importantly, did Microsoft "give generously" during the "Here's how to hack AIM" episode of "Sesame Street"?

"Today's Sesame Street was brought to you by the letters M, S, N, and the number 1."

Check out this quote...

from USAToday [usatoday.com]:

Russ Cooper, who moderates a popular security mailing list and works for security firm TruSecure, said Conover's actions are irresponsible. "I think it's better to provide details of the exploit and then let other people write the actual code," Cooper said. "Unfortunately, these are fundamentally naive people with a very childish view of the world."

Hmm. Anyone else sense a little hostility from the for-profit [trusecure.com] security industry...?