Buffer Overflows

If this isn't exactly what you wanted, please try our Search (there's a LOT of techy and non-techy stuff here about Linux, Unix, Mac OS X and just computers in general!):

From - Thu Aug 26 05:52:05 1999
Return-Path: <owner-bugtraq@SECURITYFOCUS.COM>
Received: from lists.securityfocus.com (lists.securityfocus.com [216.102.46.4])
        by world.std.com (8.9.3/8.9.3) with SMTP id FAA07042
        for <apl@WORLD.STD.COM>; Thu, 26 Aug 1999 05:06:37 -0400 (EDT)
Received: (qmail 3046 invoked from network); 26 Aug 1999 07:33:38 -0000
Received: from lists.securityfocus.com (216.102.46.4)
  by lists.securityfocus.com with SMTP; 26 Aug 1999 07:33:38 -0000
Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM
          (LISTSERV-TCP/IP release 1.8d) with spool id 866264 for
          BUGTRAQ@LISTS.SECURITYFOCUS.COM; Thu, 26 Aug 1999 00:29:56 -0700
Approved-By: aleph1@SECURITYFOCUS.COM
Received: from securityfocus.com (216.102.46.2) by lists.securityfocus.com with
          SMTP; 23 Aug 1999 18:37:05 -0000
Received: (qmail 18348 invoked by alias); 23 Aug 1999 18:37:05 -0000
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
Received: (qmail 18345 invoked from network); 23 Aug 1999 18:37:05 -0000
Received: from mailnfs0.tiac.net (199.0.65.17) by securityfocus.com with SMTP;
          23 Aug 1999 18:37:05 -0000
Received: from rms (smiths.tiac.net [199.3.129.167]) by mailnfs0.tiac.net
          (8.8.8/8.8) with SMTP id OAA12963 for <BUGTRAQ@SECURITYFOCUS.COM>;
          Mon, 23 Aug 1999 14:37:03 -0400 (EDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2314.1300
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
Message-ID: <003201beed96$76503d80$a78103c7@rms> 
Date:         Mon, 23 Aug 1999 14:36:48 -0400
Reply-To: "Richard M. Smith" <smiths@TIAC.NET>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: "Richard M. Smith" <smiths@TIAC.NET>
Subject:      Update on the AOL buffer overflow exploit
X-To:         BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
X-UIDL: e541c531c0c4bc37ede0a2820be0b145
Status: U
X-Mozilla-Status: 8001

Hello,

I wanted to give an update on the buffer overflow error in
the AOL Instant Messenger client software that Robert Graham
reported to BugTraq last week.  Apparently AOL is using this
buffer overflow error  to determine if someone is running the
AOL client software versus the Microsoft MSN
Messenger client software.  MSN Messenger users are then
refused service on the AOL system.

The buffer error is used as follows.  During the AIM logon sequence, the
AOL servers now send down a packet to a client machine
with about 40 bytes of x86 code in it.  This code gets executed
by the client because the packet also exercises the buffer overflow
bug.  The downloaded code causes the client to send back a secret response
to the AOL servers.  If the servers don't see this response, they
then bounce the user under the assumption the client software
must be MSN Messenger.

It only took Microsoft a few days to see what was
going on and they have updated the MSN Messenger client
software to recognize the special packet and response in
the same manner as the AOL client.  However, MSN isn't using
a buffer overflow error to make this happen.

Presumably with this buffer overflow error, AOL can download
new x86 code in the future which generates different responses
from the client.  If this way, the can constantly stay a few days ahead
of Microsoft in this game of "spy-vs-spy".

Geoff Chappell has a done a detailed analysis of the AIM IM code
and has located the actual bug.  His write-up on the bug can be found
at these two URLs:

   http://www.ozemail.com.au/~geoffch/security/aim/
   http://www.ozemail.com.au/~geoffch/security/aim/preliminary.htm

He also provides details on how the special AOL packet is executed
by this buffer overflow error.

On the AOL side of things, they continue to publicly deny anything
is amiss here.  In press articles they either claim there is no buffer
overflow error in the client software or that they are not doing
anything to compromise the security of their AIM customers.

I respectively disagree.  Buffer overflow exploits are very
difficult to get right and small slip-ups can cause computers
to crash.  If AOL continues to play this game, they risk
crashing customers PCs on a large scale down the road
as they change the code which is executed by the client.

It also makes me personally very queasy to know that
there is network software on my computer that allows outsiders
to silently download and run code.  Buffer overflow errors should
be fixed, not used!

(As an aside, does anyone know of a previous case in
which a computer vendor ever used a buffer overflow before?
AOL actions here might be a first.)

On the Microsoft side of things there is a bit of news also.
This AOL buffer overflow story began two weeks
ago when I received a message from a person claiming
to be "Phil Bucking" from "Bucking Consulting".  The
message was sent via Yahoo Email and detailed what
AOL was up to.  "Phil" claimed he found out what is
going on because he is also writing IM client.    What "Phil" didn't
realize is that Yahoo puts the originating IP address
in the message headers.  The IP address in his message
traced back to a HTTP proxy server at Microsoft.  This
implied that the message came from inside of Microsoft.
According to an article in InfoWorld on Friday,
Microsoft has acknowledged that "Phil" is actually a Microsoft
employee.  Moral of the story: Don't use Web-based Email
systems like Yahoo and Hotmail for anonymous Email!

I am continuing to look at this issue myself.  My AOL screen name
is "buffover" if anyone wants to me add me to their
buddy list. :-)

I also very much would like to talk to a technical person at
AOL about the exploit to hear their side of the story.

Richard M. Smith

Versatile Site Map Generator $59.00
A1 Sitemap Generator

Jump to Comments

Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.