A.P. Lawrence

Information and Resources for Unix and Linux Systems
Bloggers and the self-employed

Home
Kerio
Sections
- MacOSX
- Linux
- Blogging
- Self-Employment
- Support
Contents
- Most Popular
- Browse All Topics
- Newest Articles
- Random Page
- Surveys
Tests
- Linux
- Mac OS X
- SCO Unix
- Perl
Resources
- Site Forum
- Write for this site
- Find a Consultant
- Contact Info
- RSS Feeds
- Store
- Advertise Here
- Disclaimer
Help
- About
- Rates
- Copyrights
- Contact
- Support

(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Kerio Reseller
Printer Friendly Version

Buffer Overflows

If this isn't exactly what you wanted, please try our Search (there's a LOT of techy and non-techy stuff here about Linux, Unix, Mac OS X and just computers in general!):

From - Thu Aug 26 05:52:05 1999
Return-Path: <owner-bugtraq@SECURITYFOCUS.COM>
Received: from lists.securityfocus.com (lists.securityfocus.com [216.102.46.4])
        by world.std.com (8.9.3/8.9.3) with SMTP id FAA07042
        for <apl@WORLD.STD.COM>; Thu, 26 Aug 1999 05:06:37 -0400 (EDT)
Received: (qmail 3046 invoked from network); 26 Aug 1999 07:33:38 -0000
Received: from lists.securityfocus.com (216.102.46.4)
  by lists.securityfocus.com with SMTP; 26 Aug 1999 07:33:38 -0000
Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM
          (LISTSERV-TCP/IP release 1.8d) with spool id 866264 for
          BUGTRAQ@LISTS.SECURITYFOCUS.COM; Thu, 26 Aug 1999 00:29:56 -0700
Approved-By: aleph1@SECURITYFOCUS.COM
Received: from securityfocus.com (216.102.46.2) by lists.securityfocus.com with
          SMTP; 23 Aug 1999 18:37:05 -0000
Received: (qmail 18348 invoked by alias); 23 Aug 1999 18:37:05 -0000
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
Received: (qmail 18345 invoked from network); 23 Aug 1999 18:37:05 -0000
Received: from mailnfs0.tiac.net (199.0.65.17) by securityfocus.com with SMTP;
          23 Aug 1999 18:37:05 -0000
Received: from rms (smiths.tiac.net [199.3.129.167]) by mailnfs0.tiac.net
          (8.8.8/8.8) with SMTP id OAA12963 for <BUGTRAQ@SECURITYFOCUS.COM>;
          Mon, 23 Aug 1999 14:37:03 -0400 (EDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2314.1300
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Message-ID: <003201beed96$76503d80$a78103c7@rms>
Date:         Mon, 23 Aug 1999 14:36:48 -0400
Reply-To: "Richard M. Smith" <smiths@TIAC.NET>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: "Richard M. Smith" <smiths@TIAC.NET>
Subject:      Update on the AOL buffer overflow exploit
X-To:         BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
X-UIDL: e541c531c0c4bc37ede0a2820be0b145
Status: U
X-Mozilla-Status: 8001

Hate these ads?

Hello,

I wanted to give an update on the buffer overflow error in
the AOL Instant Messenger client software that Robert Graham
reported to BugTraq last week.  Apparently AOL is using this
buffer overflow error  to determine if someone is running the
AOL client software versus the Microsoft MSN
Messenger client software.  MSN Messenger users are then
refused service on the AOL system.

The buffer error is used as follows.  During the AIM logon sequence, the
AOL servers now send down a packet to a client machine
with about 40 bytes of x86 code in it.  This code gets executed
by the client because the packet also exercises the buffer overflow
bug.  The downloaded code causes the client to send back a secret response
to the AOL servers.  If the servers don't see this response, they
then bounce the user under the assumption the client software
must be MSN Messenger.

It only took Microsoft a few days to see what was
going on and they have updated the MSN Messenger client
software to recognize the special packet and response in
the same manner as the AOL client. However, MSN isn't using
a buffer overflow error to make this happen.

Presumably with this buffer overflow error, AOL can download
new x86 code in the future which generates different responses
from the client. If this way, the can constantly stay a few days ahead
of Microsoft in this game of "spy-vs-spy".

Geoff Chappell has a done a detailed analysis of the AIM IM code
and has located the actual bug. His write-up on the bug can be found
at these two URLs:

http://www.ozemail.com.au/~geoffch/security/aim/
http://www.ozemail.com.au/~geoffch/security/aim/preliminary.htm

He also provides details on how the special AOL packet is executed
by this buffer overflow error.

On the AOL side of things, they continue to publicly deny anything
is amiss here. In press articles they either claim there is no buffer
overflow error in the client software or that they are not doing
anything to compromise the security of their AIM customers.

I respectively disagree. Buffer overflow exploits are very
difficult to get right and small slip-ups can cause computers
to crash. If AOL continues to play this game, they risk
crashing customers PCs on a large scale down the road
as they change the code which is executed by the client.

It also makes me personally very queasy to know that
there is network software on my computer that allows outsiders
to silently download and run code. Buffer overflow errors should
be fixed, not used!

(As an aside, does anyone know of a previous case in
which a computer vendor ever used a buffer overflow before?
AOL actions here might be a first.)

On the Microsoft side of things there is a bit of news also.
This AOL buffer overflow story began two weeks
ago when I received a message from a person claiming
to be "Phil Bucking" from "Bucking Consulting".  The
message was sent via Yahoo Email and detailed what
AOL was up to.  "Phil" claimed he found out what is
going on because he is also writing IM client.    What "Phil" didn't
realize is that Yahoo puts the originating IP address
in the message headers.  The IP address in his message
traced back to a HTTP proxy server at Microsoft.  This
implied that the message came from inside of Microsoft.
According to an article in InfoWorld on Friday,
Microsoft has acknowledged that "Phil" is actually a Microsoft
employee.  Moral of the story: Don't use Web-based Email
systems like Yahoo and Hotmail for anonymous Email!

I am continuing to look at this issue myself. My AOL screen name
is "buffover" if anyone wants to me add me to their
buddy list. :-)

I also very much would like to talk to a technical person at
AOL about the exploit to hear their side of the story.

Richard M. Smith

Comments /Bofcusm/90.html

Add your comments

Why no "Digg this!" etc.?

Enter your email address for automatic notification of new posts here
(be sure to whitelist 'feedburner.com' if you use spam filtering)

Forget the expense of flying to New England. Forget hotel and meals costs.
Installation and light training Boston and New England

Printer Friendly Version

Views for this page
Today	This Week	This Month	This Year	Overall
1	3	10	326	1,819

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.

Publishing your articles here

Printer Friendly Version

More:

- Security

Unix/Linux Consultants

Your ad here - $24.00 yearly!

http://echo3.net/ Unix/Linux Custom Applications, Web Hosting, C/C++ Programming Courses

http://www.vss3.com SCO/Caldera OpenServer, Unixware & Linux. Tarantella & Non-stop Clustering

http://bcstechnology.net Full service Linux & UNIX systems integrator; Windows to UNIX/Linux Client-Server Specialist; Secure E-Mail & Website Hosting; Thoroughbred Software Developer; Custom Industrial Automation; Hardware & Electronics Experts; In Business Since 1985.

Coming Attractions

My Favorites