AOL's AIM Exploits Buffer Overflow On Purpose 121
Scott Hutton writes "CNN is carrying a story that states that AOL is exploiting a buffer overflow in their own client in order to detect and lock out Microsoft AIM clients. That's the first time I've seen someone use a buffer overflow to 'enhance' security."
Seen It (Score:1)
Why this is utter nonsense (Score:1)
For future reference, could we please make a distinction between OSCAR and TOC? They are two totally different protocols. TOC stores all your settings on an AOL server, and the client just interfaces with that "proxying server," for lack of a better term. OSCAR stores all your settings locally and interfaces with the Real AIM Servers. AOL loves it when we use TOC, because it keeps all the power in their hands. Which is why i spend my time working on an OSCAR client
For more info on naim, check out http://naim.n.ml.org [ml.org], and http://www.auk.cx/faim/protocol/ [www.auk.cx] has good (and very incomplete) info on the AIM protocol. And, as a side note, there are preliminary steps for gaim to use OSCAR as well, but that's still in progress.
This is the first time i've seen the Community listen to blatant M$ hype, and quite frankly, i'm disappointed.
/jbm
That's 256 and 280 bytes for you decimal pple (n/b (Score:1)
That was confusing (Score:2)
As I interpret the article, the AOL *client* is sending 256 bytes (the expected amount) followed by 24 bytes. This is somehow supposed to overflow the buffer on the AOL *server*. The AOL server detects the extra bytes and knows that it is an AOL client.
Extra data not in the spec is NOT the same thing as a buffer overflow exploit. If the server wants to see those 24 bytes it is NOT a buffer overflow. It's simply an omission from the specification.
If this is how things work, the "buffer overflow bug" is on the server side, not the client side.
In this case, suggesting that the AOL client has a "buffer overflow bug" is misleading. Implying that the bug somehow compromises security for users of the AOL client is malicious deception. The client is *sending* extra data, not receiving it.
I don't want to suggest that anyone is trying to create hysteria by misusing the term "buffer overflow". We all know that the phrase "buffer overflow" is a sure way to get the attention of security folks.
As I read the article, though, it's just 24 extra bytes being sent to the server. If the server expects it and handles it, it's hardly a security issue. Are those 24 bytes actually writing into executable memory with a jump instruction? I find that hard to believe.
Or maybe I just missed something in the article....
Re:Contradicts previous discussion on /. (Score:1)
And the hilarious thing, the poetic justice if you will, is that while Microsoft was clumsily trying to call the kettle black without anyone knowing who the pot was, the pot itself was found to be dirty [news.com] with respect to messaging software security. (As if MS's security problems are actually news anymore.)
Re:OSCAR != TOC (Score:1)
Re:How to stop non-authorized clients (Score:2)
I see no evidence that this is a buffer overflow. (Score:1)
Re:Contradicts previous discussion on /. (Score:1)
"Besider loser in case you've forgotten," while AOL is of course not using this overflow maliciously, the point is that it is one. The other point is that AOL seems to be trying to limit access to its servers to only the clients that it likes. They'll let the Linux client in, but not Yahoo and Microsoft. The point is that if you have a server which you make available to software other than your own, without requiring prior licenses, then you have to make it available to all clients. This is why Microsoft is not "tresspassing" on AOL's property - and believe me, if MS was doing anything illegal, lawsuits would be flying within seconds.
Re:ROFL BLIZZARD BEING BLOCKED (Score:1)
Re:How to stop non-authorized clients (Score:1)
I believe that it has been worked around with a proxy and some cleverness, but it complicates the matter and does *not* require that the client have a known buffer overflow problem.
Network clients do not have any business accepting more data than they can handle.
Re:Contradicts previous discussion on /. (Score:1)
The way I see this whole situation is that AOL owns the servers, they can dictate whatever rules they want for accessing the servers. If they want to say, "You MUST use our software if you are going to access our servers using the OSCAR protocol!" that's fine. I'd say the same thing if the situation were reversed.
Re:Contradicts previous discussion on /. (Score:1)
Gibson's Field Day (Score:1)
IceBerg
"When all other possibilities have been eliminated, whatever is left, no matter how unlikely, must be the answer" -- Sherlock Holmes
Re:Proof that I'm more hacker than politician (Score:1)
It makes all the difference in the world. Regardless of whether you side with AOL or Microsoft or whoever on this one, you should be able to see the line here... AOL released specs to the open TOC protocol (albeit with a clause stating that it could change without warning at any time; kudos to them for not doing that to us!) in order to allow people to write unsupported clients. They did *not* release specs to the Oscar protocol.
I don't know exactly what their line of reasoning is to do this, but it seems to me that since they have an established method for unapproved clients to connect, their argument that the Oscar protocol was to remain closed is, if anything, stronger.
My $0.02...
Re:OSCAR != TOC (Score:1)
Also, gaim has been released as an oscar client. I need to read the freshmeat newsletters more often
oh the joys of being OT
/jbm
Proof that I'm more hacker than politician (Score:1)
again please? (Score:1)
They're responding to "the packet"? What packet are they getting? Or, do you mean that they're responding [differently] to the original packet send to the MS IM client from the server, so that the server will think their AOL IM? I didn't quite get that, because my initial thought was that you meant that MS was responding differently to the "buffer overflow" [packet], which I didn't understand because I was thinking: "MS isn't getting the packet! The server is!"
Stupid me..
Clarification would be helpful, though, because I'm curious as to what exactly MS is doing to make their IM client 'work.'
Re:ROFL (Score:1)
Re:Why this is utter nonsense (Score:1)
The clients tell the server what version they are long before the server sends the buffer overflow packet. Microsoft chooses to emulate the WIN32 client because it has a lot more features than other clients.
To verify, take a sniffer and capture a trace file of the connection sequence. Only when connecting with the v2 Win32 client will you see this particular packet contents being sent.
Read the technical analysis at http://www.robertgraham.com/pubs/aol-e xploit [robertgraham.com]
Re:Contradicts previous discussion on /. (Score:1)
Re:Proof that I'm more hacker than politician (Score:1)
That was helpful (Score:2)
Moderators, I know you can determine the quality of posts without my help. If I had the power, though, I'd be bumpin' this one up a few notches.
Silly me (Score:2)
Now I'm going to spend all night reading flames from people who were smart enough to skip the article.
IM; Fighting over crap? (Score:1)
Also I love the idea of having multiple IM's work under one client. AOL, ICQ, Yahoo, MSN, whatever all workable as plugin's to the client program so I only have to know one interface and can communicate to everyone under a single user list. Third, I'd love to be able to store my contact list, history, etc on a server of my choice rather than having to ftp the whole thing from machine to machine every time I need it. Just please spare me the quota idea. This is one reason I continue using ICQ the most, because Yahoo and some others limit the number of people in your contact list. How stupid is that, I am not allowed to know so many people. Well excuuuuuse meee! Arghh but please don't crypt local db files either such as ICQ does, this is causing me huge problems because I need to merge several lists under the same UIN but from different computers into a single list and it is fairly impossible. It's the OS's job to keep unauth'd people from reading my files, if Windows doesn't let Windows users upgrade to Linux as I'll do as soon as I can merge and export my ICQ db's.
IM; Fighting over crap? (Score:1)
Also I love the idea of having multiple IM's work under one client. AOL, ICQ, Yahoo, MSN, whatever all workable as plugin's to the client program so I only have to know one interface and can communicate to everyone under a single user list. Third, I'd love to be able to store my contact list, history, etc on a server of my choice rather than having to ftp the whole thing from machine to machine every time I need it. Just please spare me the quota idea. This is one reason I continue using ICQ the most, because Yahoo and some others limit the number of people in your contact list. How stupid is that, I am not allowed to know so many people. Well excuuuuuse meee! Arghh but please don't crypt local db files either such as ICQ does, this is causing me huge problems because I need to merge several lists under the same UIN but from different computers into a single list and it is fairly impossible. It's the OS's job to keep unauth'd people from reading my files, if Windows doesn't let Windows users upgrade to Linux as I'll do as soon as I can merge and export my ICQ db's.
Re:Advertising dollars (Score:1)
This was an MS allegation (Score:1)
Re:How to stop non-authorized clients (Score:1)
Copyrights and trademarks are generally for non-functional protection, while patents are for functional protection.
(I am not a lawyer -- thank god)
>>
I'm surprised AOL hasn't implemented a fairly easy method of stopping non-authorized clients. They could merely take a small (15x15 pixels or something) BMP of a trademarked logo (such as the AOL logo), and use it as a "key" to access the servers. Official AIM clients would transmit this logo to the servers for authentication, but Microsoft could not implement that in its client without being sued for trademark infringement.
Re:ROFL (Score:1)
We don't know that it's a bug yet. We don't know how much MS paid this company to say it's a bug. Mindcraft anyone? As others have mentioned here, all we know is that AOL is sending a longer string then was technically published. Is this a problem? We don't know, it most likely isn't.
No. That would mean I would be receiving for free, what everyone else has to pay for. As soon as AIM, and GAIM, and TiK (if it still works) cost me a monthly fee, then a company who was allowing me access to that for free (while everyone else paid) would be in the wrong.AIM is not free. It does cost money to run the service you know. However, instead of charging you, they use advertising to offset the expenses. When the MSN client provides access to the service, AOL loses it's ability to pay for the service.
I didn't say Microsoft. This *isn't* about Microsoft (and I'm curious why everyone thinks it is.. who of you bashed Gaim?), its about a company trying to do for free, what others can do for free (unless the people who developed Gaim are partnered with AOL..?)Any company has the right to work with anyone they want. If AOL wants to give certain groups the ability to use their service and not give other companies the same ability, that is their choice and right. Local companies in this area do it all the time. For instance, a bakery might provide free products to the local soup kitchen, but not the local resteraunt. It is about Microsoft trying to steal something from AOL, that AOL doesn't choose to give.
More about MS and AOL [twistedpair.net]
-BrentPlease explain moderation policies to me (Score:1)
Banned IRC clients (Score:1)
The owners of IRC servers ban abusive people, not programs - they will not ban you because of the IRC client you use.
That's not actually completely true; does anyone remember when Microsoft Comic Chat came out? It dumped all kinds of crap data in band (for the character emotions and so forth), such that it was extremely obnoxious to be in a channel with people using it. Having to put up with "(#WEIFEOU#@5*UR)" or some crap at the beginning of every send phrase got very annoying, very fast. You got 5 or so people in a channel using the client, and it basically killed the conversation for everyone else.
Even worse, in the first few versions, the CTCP implementation was severely broken -- it sent PRIVMSGs instead of NOTICEs for replies, which could have resulted in infinite loops between the two clients trying to respond to each other. (although it generally didn't, as that version of Comic Chat provided no way for a user to send CTCP messages ... thankfully)
However, a lot of people still thought MS CC was really cute. Once they were using the client, they didn't really give a damn if they were dumping crap in channels -- they couldn't see it themselves, so why should they care? It finally got so bad that channel operators began to ban CC users on sight. Things continued to spiral downwards, though, and some IRC networks were compelled to politely (or often not so politely) ask people to stop using the Comic Chat client, "or else".
Today, although the functionality has, I believe, now been folded into the current Microsoft chat product, you won't see it used on normal IRC networks, nor is it a default. We won, but barely. It took a concerted effort on the part of the channel and server adminsitrators to preserve the networks for the rest of us.
I'm not really sure how or if this relates to the AOL/MS IM war, but I just felt like this little bit of history might be relevent somehow.
---
Re:Proof that I'm more hacker than politician (Score:1)
I agree that AOL has a right to keep its protocol proprietary. I also have a right not to use it. This is exactly why I don't use AOL IM.
Re:We reserve the right to refuse service to anyon (Score:1)
Even better than this is trying to access any MS page with the Internet Explorer bundled with NT 4.0 (IE version 2.0 build 1381)? It can't load the page at all, instead giving bogus error messages like:
Directory Listing Denied
This Virtual Directory does not allow contents to be listed.
Netscape, OTOH displays the pages quite reasonably.
--
UCITA looming. (Score:1)
Though I despise both parties in this dispute I have to side with AOL. AOL's servers handle all of the IM traffic and it's not right for M$ to be able to use AOL's servers for free and make money by selling advertising on their client. This is like me getting a copy of Win9X and duplicating the CD and distributing my copies with a copy of a CD-Key generator.
AOL has every right to break M$' client. It's their protocol, they're their servers. M$ is once again acting like a bull in a china store. AOL is the only company with the muscle to fight them off. Imagine AOL office, platform independant office suite that you get as a part of your internet connection fee.
In today's world David can not fight Goliath. You need another philistine to do the deed.
LK
Old news (Score:1)
Paul
Re:ROFL (Score:1)
Re:Not really a buffer overflow 'exploit'. (Score:1)
Re:Er, where is this overflow exactly? (Score:1)
Contradicts previous discussion on /. (Score:2)
--
Hmm, strange (Score:1)
Not really a buffer overflow 'exploit'. (Score:1)
An exploit would be a discovered bug in the server code that allowed an engineered packet masquerading as the client to obtain privleges or information from the server, or possibly crash or disable it. This, instead was handled by the server in a graceful manner, but now is actively being checked for in order to allow AOL to shut out MS.
As they talk of an 'intercepting user' or some such, that is something that any IM could be vulerable to, bug or not..
This goes along with a pet peeve of mine at work. I must hear 'buffer overflow' twice a day. In fact, in addition to the Y2K verification forms I have to sign for in-house software put in production, on some servers I have to sign 'no buffer overflow vulnerabilities' certs as well..
Many VP's and high level managers think that this is the only type of security hole that can exist. They also seem to think that it always exists. Ahh, well.. they also say the network was 'hacked' when a virus shows up from some user with a screen saver from home.
Re:Hmm, strange (Score:1)
Re:Contradicts previous discussion on /. (Score:1)
Re:Old news (Score:1)
Re:Hmm, strange (Score:1)
Re:It's client/server (Score:1)
Since it's usually peer-to-peer, it makes sense that the software would have to know what the IP address is... They have an option to "hide IP" from other people, but only the official client actually does, and even that is easily broken.
You don't really think all those files you transmit through ICQ actually go through the ICQ servers do you? Where would they get THAT much bandwith?
Re:Proof that I'm more hacker than politician (Score:1)
MSNBC (Score:1)
To continue with the conspiricy theories
Re:ROFL (Score:1)
Forgive my ignorance, but what did Ken Thompson say about Linux?
At any rate, from a technical perspective, Linux still lags considerably behind commercial UNIXes, and even NT. UNIX and NT aren't standing still either.
I'll ignore the NT comment (that holy war isn't worth the time) and simply remind you that Linux is a variety of Unix. There's no such thing as the single Unix anymore.
Re:Hmm, strange (Score:1)
Re:ROFL (Score:1)
It's more Herd than Minux however.
Linux won't crush Windows alone.
Linux makes a very good hacker os and an ok server and in those areas Linux dose a better job that 9x and NT. This strikes a blow at the Windows image of an os for "everyone".
Linux just gets the ball rolling.
Solarus, SCO Unix and BSD can attack on the high end server area where as MacOs and BeOs attacks on the multimedia and user friendly area.
OS/2 and SGI can take on Windows in the workstation department.
This leaves Windows with the gamers.
Windows is a decent game os and other oses don't compeate in that area.
But when an os is reduced to just playing games it's life is over.
Re:ROFL BLIZZARD BEING BLOCKED (Score:1)
Re:We reserve the right to refuse service to anyon (Score:1)
I agree...but I sure hope that you are against the prosecution of MS with this attitude -- otherwise you're a hypocrite.
Have you ever tried to wonder around microsoft.com [microsoft.com] with a non-MS browser? It's not very pleasant. But while we may bitch about it, and not think it a very bright move, no one has tried to force them to allow Netscape users access.
Re:How to stop non-authorized clients (Score:1)
Is there a limit on what format the image has to be in? Does it have to be well distributed or documented? Or is there an additional filed trademark on the sequence of bits in the image? If not, anyone could make up a format on the fly that reads some specific data and turns it into a trademarked logo. It seems if there are no limitations, this would be a field day for nuisance lawsuits.
Secondly, it seems if someone were to find out the string of bits with no knowledge that they were a bitmapped image, and prove it (IE: hack at the Gameboy code and figure out what string of bits makes it run games), Nintendo would have a hard time filing a suit that wouldn't get thrown out.
It also seems interesting in that it implies a trademark on a particular chunk of data. Heck, randomly searching the net, after a while, would probably turn up something--a binary, a JPEG, whatever--that contains a 15x15 bitmapped representation of AOL's logo. Does this mean that, if some AOL wonk was feeling nasty, they could file an infringement suit on some poor shmuck or demand he take down some image because of this? Or, God forbid, another annoyance tactic in the Scientologist's lawyer attacks?
I am in no way familiar with trademark laws, so I am genuinely curious about this...
Re:Please explain moderation policies to me (Score:1)
You can tell automatic moderation because there'll usually (always?) be no tag on it. "(Score:2)" rather than "(Score:2, Informative)" or whatever.
Thats why I use ICQ (Score:1)
To me we should create a instant messaging protocol that would be secure (If I didn't gave permission to someone then someone can't have acess to my status), distribuited (why have only one server?), open source, multi-plataform (this shold be usable for mac, windows and all other OSes users too).
I think that it's rather easy to create it using existent protocols, HTTP for files and messages and irc for chat.
Is there something like this being developed?
--
"take the red pill and you stay in wonderland and I'll show you how deep the rabitt hole goes"
Re:OSCAR != TOC (Score:1)
i can not see for any reason why people want aol to give out all of its services for free, and why ms is having a hissy fit about tiny little glitches, while ms has many of its own glitches.
in adendum, i say aim is a good
finale
fini
peace out.
Re:Not really a buffer overflow 'exploit'. (Score:1)
Re:Contradicts previous discussion on /. (Score:1)
Re:Contradicts previous discussion on /. (Score:1)
Not really because the mircosoft guy was and still is wrong. This isn't the typical buffer overflow exploit at all. It seems like AOL is using those extra 24 or so bits as a kind of checksum or key to their servers. In other words if you don't have the key to the door (like mircosoft doesn't), you don't get in. This really doesn't fit the description of the typical buffer overflow exploit does it?
Besides loser in case you've forgotten, Microsoft and the users of the Mircosoft software are tresspassing on AOL property (The AOL servers). AOL has told Microsoft to get lost. Therefore AOL has every right to ban the use of the Mircosoft software on *AOL*'s servers, just like the owners of the IRC servers can and have banned people from acessing their networks. You idoitic microsoft supporters had better realize the the fact that you don't have a damned right to acess *ANYTHING* that doesn't belong to you. In other words grow the fucking hell up.
question (Score:1)
Re:Er, where is this overflow exactly? (Score:1)
Re:Proof that I'm more hacker than politician (Score:1)
AOL absolutely has the right to keep their protocol proprietary, and in fact I think that MS's use of AOL's servers via OSCAR is tantamount to theft of services.
However, at a time when Bill Gates is called the antichrist just because he wants to keep some of his IP to himself, we need to apply the same standards of morality to everyone. AOL could have kept their email system proprietary, too, (way back in, what, 1991?), but to do so would have been a disservice to their customers as well as the rest of the Internet. If there was ever a situation calling for a little good will on the part of AOL, this is it.
But coming from a guy who always rooted for the Empire just because their Star Destroyers were so cool, I still think this buffer overflow gimmick is genius.
a week late (Score:1)
Posted to web site on Sunday, after posting to
We reserve the right to refuse service to anyone. (Score:1)
Remember, companies rarely to anything to be nice, but rather to make money.
And AOL has the right to do anything they want with their servers... They own them! It's like the signs in restaurants: "We reserve the right to refuse service to anyone."
OSCAR != TOC (Score:1)
--
Re:ROFL (Score:1)
a monthly fee, then a company who was allowing me access to that for free (while everyone else paid) would be in the wrong.
I didn't say Microsoft. This *isn't* about Microsoft (and I'm curious why everyone thinks it is.. who of you bashed Gaim?)"
Actually this IS about Microsoft. The difference is that GAIM, TiK etc are all based on an open protoc released by AOL for public use called TOC, along with special TOC servers that make the connection to the actuall AIM servers. Think of the TOC servers as a firewall router setup to protect the AIM servers by allowing only limited but functional access.
Microsoft isn't using the TOC protocol or servers in their client. Instead they reversed engineered the OSCAR protocol which was never published and reserved strictly for AOL Instant Messenger. By doing this MS is bypassing the TOC server/firewall setup and accessing the AIM servers directly as if they are AIM clients.
In this regard MS is illegally cracking into the AIM servers against AOL's wishes and bypassing their security. btw the TOC servers and protocols do not require you to have an AOL account as they are open to anyone.
Not a contradiction (Score:1)
In his message, he asserted that America Online is using a programming error that has created a security flaw -- one not found in Microsoft's clone program -- to detect the Microsoft Messenger program.
How to stop non-authorized clients (Score:2)
This method works, and has legally been tested, as this is the method Gameboy uses to keep non-licensed developers from writing Gameboy games. If a game doesn't have the gameboy trademarked logo at the beginning of its ROM, the Gameboy refuses to play it.
Re:question (Score:1)
Even peer-to-peer messenges have problems. One of which is that this remove anonimity; what happens with lots of protocols like IRC is that cr/hackers nuke/flood other people's IP address. Not to mention the problem of when both sides are behind firewalls/proxies, and thus cannot create a direct connection between each other.
try Perl!. (Score:1)
might as well have been me.
Re:Old news (Score:1)
Re:Hmm, strange (Score:1)
Re:Hmm, strange (Score:2)
But Tik and GAIM users should be thankful that Micrsoft went to the trouble of reverse-engineering OSCAR instead of just using TOC, because if they had, I'm sure TOC would be gone by now.