AOL Instant Messenger Remote Hole

The DSL Guy writes: "The non-profit security team w00w00.org started off 2002 by uncovering a serious flaw in AOL's Instant Messenger protocol. With over 100 million people registered on the AIM service, this vulnerability poses a serious security risk for Internet users worldwide. This flaw can enable remote users to execute code on any machine logged into the AOL IM service. "So easy to hack, no wonder it's number one!" Details can be found at the w00w00 site."

How to protect yourself

[Mwongozi (176765)]

For those who didn't bother to read the article:

We recommend Robbie Saunder's AIM Filter (http://www.ssnbc.com/wiz [ssnbc.com]) to protect yourselves. A temporary solution is to go into your Preferences and in the Privacy section click "Allow Only Users on My Buddy List" under "Who can contact me."

Re:How to protect yourself

[bendawg (72695)]

Also, if you're just lazy, you can just wait.

UPDATE: AOL will be fixing this in the server side within a day or two.

Re:How to NOT protect yourself

[alexz (45202)]

AIM Filter being the program that, if not a trojan, at least has various remote access abilities.

See the bugtraq archive [securityfocus.com] for more information.

Amusing that its use is recommended in the security advisory.

You have mail!

[Monte (48723)]

...and now everyone has your mail!

Re:Why not wait a day?

[Monte (48723)]

Given that the message states AOL will do a server side fix in a day, why not wait ONE DAY before releasing the exploit details.

Perhaps the former was a result of the latter? There's a concept called "lighting a fire under their ass".

Re:Why not wait a day?

[ez76 (322080)]

Perhaps the former was a result of the latter? There's a concept called "lighting a fire under their ass".

Can someone please explain to me the moral or ethical mandate that supports/justifies this sort of vigilante thinking? Consider the following off-line scenarios, which to me seem equivalent (someone correct my thinking):

• A test mode is discovered in a popular residential/commercial building security system whereby anyone can enter such a building by punching in a certain 23-digit code into the alarm keypad. w00w00 drives around town and posts a picture of the affected keypads and the first 21 digits of the code.
  
• Certain model year GM vehicles' security systems can be foiled by holding down multiple chiclet keys at once and inserting a metal object into the driver's side door keyhole. w00w00 cruises local mall parking lots, opening the doors of random vehicles, putting a bulletin about the problem on the driver's seat, closing the door, and fleeing.
  
• A template and generating function for test AT&T calling card numbers is discovered that permits anyone with the two to make free calls. w00w00 publishes the information.
  

All of these actions could have theoretically been done in the name of improving security but in the short-term all they do is recklessly endanger it.

These actions wouldn't fly in the real world without legal repercussions. And how can you claim that they are done in the interest of the public when so much anonymous public damage could result in the short-term? Is there anyone out there who really believes this isn't being done to take a stab at big corporations for big corporations' sake, by individuals who thrive in the gray area of the law?

There is at least one long-term upside to w00w00's actions, though. Their actions will hasten the approval of legislation which makes online reckless endangerment as criminal on the Internet as it is in your neighborhood.

Re:Why not wait a day?

[YaRness (237159)]

it's different because you can't download a new keypad for your security system or car, but you can easily download and apply a patch for a program. it's a matter of distribution.

additionally, in your analogy, for each poster up on the telephone pole, they would have included a box full of replacement keypads (or whatever) to fix the problem; w00w00 did list a place to download a proxy that will serve as a temporary fix. it's allowing people to be able to make the decision to protect themselves, instead of being subject to the whims of Big Bad Corporation X's product life cycle.

just the old regulated security VS. freedom debate.

Re:Why not wait a day?

[Monte (48723)]

Can someone please explain to me the moral or ethical mandate that supports/justifies this sort of vigilante thinking?

I'd like to start by stating that I don't condone w00w00's (gad what a name) actions, I was simply offering a possible answer to a question (which, for some reason, got modded up all to hell. I guess the SlashThink mindset agrees with all that appears to screw corporations).

Now, in an attempt to answer your question - I think this sort of thing is defnitely a free speech issue, and I think in some cases it's justified.

Let's take your example of a GM exploit - if I discovered such a thing and called GM about it (even if I were a registered/certified GM mechanic) - how many layers of corporate denial, obfuscation and red tape do you think I'd encounter? After all, a recall to fix the problem is going to cost some green, and I'm just some schmuck mechanic. So how long do you think it would take GM to fix the problem, versus the amount of time that someone who liked stealing cars figured it out?

If instead of calling GM I phoned the local TV stations and demonstrated the problems - do you think that would speed up a GM recall? I sure do.

Does this hurt the corporation? Yes. But then it was the corporation that created the exploit, or failed to close it. You reap what you sow.

And how can you claim that they are done in the interest of the public when so much anonymous public damage could result in the short-term?

The same could be said about an internet article that explains how to pick locks. Should such sites be shut down, in the name of the public interest?

Their actions will hasten the approval of legislation which makes online reckless endangerment as criminal on the Internet as it is in your neighborhood.

Which is the greater endangerment: the discription of an exploit, or the exploit's existance?

Re:Why not wait a day?

[geekoid (135745)]

when the industry has a history of ignoring security breachs, or trying to hush them up, it become nessessary to take such actions to protect the people.

Ebarrassment, Blood, and Guilt

[_Sprocket_ (42527)]

Can someone please explain to me the moral or ethical mandate that supports/justifies this sort of vigilante thinking?

Information security tends to take a far back seat within the corporate world. Doesn't matter if it is management, administration, or development - infosec is a secondary thought if its even considered.

Part of this is the specialized knowledge required to handle infosec issues (not that it couldn't be widely aquired). It takes a concious effort to implement a secure system. This is often considered additional effort. And additional cost.

Another part of the puzzle is a general disbelief anyone could discover a vulnerability and would bother to take advantage of it. This discounts the number of technically minded individuals your infrastructure is exposed to on the net (compounded by automating attacks). It also ignores that even trivial applications can cause considerable damage (I have some friends working infosec for large corporations who went in to high gear with this announcement - AIM exists in many environments).

Finally, infosec is rarely a consumer requirement. Functionality is what sells widgets. Unless the widget is touted as being secure (even IF its supposed to be secure), security won't sell as many widgets if the widgets don't blink and beep nicely. Thus infosec isues are not pushed during initial development.

All of these actions could have theoretically been done in the name of improving security but in the short-term all they do is recklessly endanger it.

So now it gets bloody. Damage gets done. Consumers begin to see how these strange little issues cause them pain. They begin to demand better, more secure products. Product goals begin to include infosec. Better products get produced.

And those who would take advantage of vulnerabilities... quietly and to personal gain (or even loudly and publically) have fewer and fewer targets.

There is at least one long-term upside to w00w00's actions, though. Their actions will hasten the approval of legislation which makes online reckless endangerment as criminal on the Internet as it is in your neighborhood.

And its possible more attention will be paid to those who build faulty, and ultimately dangerous, data infrastructures. Maybe even legal liability.

Re:Why not wait a day?

[GTRacer (234395)]

Maybe what they meant was:

If we had tried to co-operate with AOL they would have tried to quash all public disclosure (including sploits). Therefore, we are disclosing now and expect them to run around like deranged monkeys trying to figure things out. Thank you and good day.

Or maybe they just hate AOL like I do and want to make them squirm...

GTRacer
- No AOL on my IP-enabled PS2, THX!

Re:Why not wait a day?

[GTRacer (234395)]

Actually, I don't hate Microsoft products, just their practices and abhorrent licensing shenanigans. In fact, I use WinNT, Outlook, IE 5.5 and the rest of the Office 97 suite alongside Gimp, Apache, Perl, NMap, and WGet.

I am not an OSS zealot although I do dual-boot Mandrake.

I hate AOL because of their incredibly asinine advertising! "Everyone I know is on my Buddy List!" Maybe it's time for more friends! I used AOL 3, 4 and 5 at work and at home and despised the branding tricks and limitations on the Internet experience.

I also loathe the way it seems (my perception - may not reflect reality) they feel their users need a prepackaged community because they're simpletons who don't need a better, deeper Internet experience. Kinda reminds me of various SF dystopias where the general populace is kept just smart enough to be useful but not enough to be critical thinkers and therefore dangerous to the status quo.

GTRacer
- Equal-opportunity company basher!

Info on AIM protocol

[btellier (126120)]

Since we all know the holes won't stop here, anyone who wishes to further investigate problems can start their research here [aol-files.com] and here [aol-files.com].

Re:Info on AIM protocol

[ichimunki (194887)]

Well, you can research the protocol all you want, but it is the client application that is the problem here. Now maybe the protocol makes security an issue when used correctly, but still it is up to the client developer to introduce the feature in a non-safe way.

not any machine

[hyperstation (185147)]

...only windows machines. get your facts straight.

This does not affect the
non-Windows versions, because the non-Windows versions currently do
not yet support the feature that this vulnerability occurs in.

Most of the writeup bashes the DMCA

[Bonker (243350)]

The guy spends most of his time bashing the DMCA and how hard it makes to offer patches to this sort of thing without AOL's permission:

From the NTBugtraq letter:
First, the Digital Millenium Copyright Act affects circumvention of anti-piracy mechanisms and reverse engineering. If a product is released in binary form only (i.e., AOL) to protect its technologies and one attempts to reverse engineer the file, it's a violation of the DMCA. It's no question who the lobbyists behind this law were: the big corporations. Not surprisingly, AOL Time Warner was one of the DMCA's biggest supporters. Find out more information about the DMCA at http://www.anti-dmca.org.

Better Link

[XBL (305578)]

http://www.w00w00.org/advisories/aim.html [w00w00.org] is a better link.

Hey, if you guys want open-source IM, check out http://www.jabber.org [jabber.org] The server is open-source and it's a distributed XML-based network. Lots of different, cool clients too. JabberIM for Windows, and Gabber for Linux are the most mature ones though. There are bridges to the AIM and ICQ networks available on some servers, but the ones on Jabber.org have been blocked by AOL... nice huh?

Re:Better Link

[XBL (305578)]

I think the MSN and Yahoo transports on the Jabber.org server has been working reliably for some time.

For ICQ and AIM, you can probably find some lesser-used Jabber servers with the transports active, and not blocked. JabberView.com has a small list of other servers.

Me, I just use my Jabber.org account, but cross-link to transports on other servers that actually work.

Of course, you can run your own server and transports. Heck, you could even do it on your own box if you want to. Just run icq.localhost and aim.localhost along with jabberd localhost, but still use your user@jabber.org or whatever as your main Jabber account. It's easy to do.

Yet another reason

[the_rev_matt (239420)]

I stopped using ICQ years ago because it was so script-kiddie friendly and AIM not long after. I'm quite happy using Jabber [jabber.org] with a gateway to Yahoo Messenger, thankyouverymuch.

Abstract Error

[strider( corinth ) (246023)]

The abstract for the article is in error: it reads, "The non-profit security team w00w00.org started off 2002 by uncovering a serious flaw in AOL's Instant Messenger protocol... This flaw can enable remote users to execute code on any machine logged into the AOL IM service.". The flaw isn't in the protocol itself but in the client, and therefore doesn't actually affect "any machine logged into the AOL IM service". It sounds like AOL is going to prevent the sending of exploit packets at the server level to avoid requesting all of their Windows users to upgrade, but those of us using Linux or another OS should be fine regardless.

AIM will always be a problem

[I_redwolf (51890)]

ALWAYS, if the protocol isn't openly documented and severely tested over a communications line for security it is insecure.

I recommend the majority of people I deal with use jabber (this is not some plug for jabber; it's just at the end of the day, it's more secure and yet accomplishes the same goal AIM etc etc have)

If you are using AIM, do yourself a favor a pickup a jabber client, you won't be sorry.

Re:AIM will always be a problem

[ZxCv (6138)]

Um, the protocol has nothing to do with this security issue. The security issue is in the Windows client implementation of this protocol. For another thing, the AIM protocol IS completely documented by AOL-- at least to the point where you can create a basic AIM clone using just that documentation.

Once again, the problem is in the Windows client and not the protocol, and the protocol is openly documented. Get your facts straight next time.

Now they need a sound to go with their IM

[A_Non_Moose (413034)]

How about the "you got mail" dude do one that says "j00 g0t 0wN3D"!

One of Many Instant Messenger Exploits (MIME for short), I'm sure.

{if you are going to assinate a Mime, would you use a silencer?}

Bug in the implementation, not the protocol

[noc (97855)]

The non-profit security team w00w00.org started off 2002 by uncovering a serious flaw in AOL's Instant Messenger protocol.

The problem is in the implementation, not in the protocol. If it were in the protocol, that would make all clients at risk. As it is, only the official Windows client is vulnerable, because it implements game requests without checking for buffer overflow. I really don't understand why people still write code this way -- buffer overflows are so easy to prevent.

Somewhat (but only somewhat) offtopic: why on earth doesn't ./ at leas browse through the links they post? It's not like they don't have the manpower. If they'd even looked at the article, they'd have caught this...

It couldn't be...

[iiii (541004)]

It couldn't be, because
AOL is deeply committed to your security. We use state-of-the-art technology to keep your personal information as secure as possible. We also have put in place privacy protection control systems designed to ensure that the personal data you share with AOL is safe and private. In addition, AOL keeps your password strictly confidential, and all authentication for the Service is performed on AOL's secure servers. Sites participating in the Service may not collect or store AOL password information.

From this site. [aol.com]

Trillian

[svwolfpack (411870)]

I've recently started using trillian (www.trillian.cc [trillian.cc]) for all my IMing needs... (yes, it does connect to the AIM server, among others such as MSN messenger, yahoo, and ICQ) I'm assuming it probably doesn't have this flaw, which is obviously a nice feature. And as far as I know, it's the only really solid alternative to a) having a billion separate IM programs b) using hated AOL software.

Re:Trillian

[m3000 (46427)]

I second that recommendation. Unfortunatly there is no Linux client yet, but whenever I'm in Windows it's THE best instant messanging program. And it finally support file transfers, the one thing it used to be missing. Plus it looks really cool, with many skins to choose from, and it lets you alias your buddy contacts, my main gripe about the official AIM client. It's well worth the download.

Re:Trillian

[Daniel (1678)]

Well, there's always Everybuddy [everybuddy.com], which I used for a while. I never used the non-AIM services much though, so these days I've reverted to Gaim [sourceforge.net]. It has support for ICQ and other protocols (MSN, Jabber, IRC, Zephyr, ..?), but I've never tried it myself.

Daniel

Re:Trillian

[infiniti99 (219973)]

Trillian is a very nice idea, and solves the problem immediately. Unfortunately, it is not a long-term solution. Trillian is still at the mercy of the "big 4" (AIM/ICQ/MSN/Yahoo), and encourages the continuing use of these closed services.

Remember the old days of the internet? How you couldn't send an e-mail from Prodigy to AOL because they were separate networks? That's what we have here, but in IM form. The solution was not to build some all-in-one Compuserve-Prodigy-AOL-bloat app, but rather to just decide upon an open email protocol. Trillian is the all-in-one approach.

I recommend switching to Jabber. It will allow you to communicate with other IM services through serverside transport modules. Use transports as a transition, to communicate with people who have not yet switched to Jabber. The ultimate goal, however, should be to ditch the transports entirely.

Most importantly, Jabber is its own open and distributed IM system, so you will always be able to chat no matter what the "big 4" do. Isn't it comforting to know that?

If you don't care about promoting an open system, or don't see the problem with closed IM systems, then Trillian may be just the program for you. But remember it is not trying to solve the greater problem.

Re:Trillian

[Quarters (18322)]

Jabber is great except for four very pesky problems:

1) You have to connect to a Jabber server
2) You have to find a Jabber server that is running all of the message protocols you want/need
3) Most servers are run by regular people, and they're not always on when you want/need them.
4) Your buddy list is stored server side, so you can not easily move to another server. If your sever goes down you'll have to recreate your entire buddly list on a new server if you want access.

Trillian, on the other hand, connects to the chat providers native servers and uses XML as a translation mechanism on the client side. The chances of Yahoo's chat server, AOL's chat server, ICQ's servers, or MSN's chat servers going down is very very slim. I used to use Jabber but gave up in frustration when the server I used disappeared for over a week.

Gaim and TOC

[Saint Nobody (21391)]

well, here's yet another reason to be using TOC (as opposed to Oscar, the newer of the two AIM protocols.) TOC is/was an open protocol, and i've had very little problem with it. admittedly, it doesn't have all the "features" that Oscar has, but if all you want is chat, and you don't care a whole lot about file transfers, et al. TOC is more than sufficient. plus, unlike Oscar, AOL doesn't seem to arbitrarily change the protocol. And it seems to be more stable, server-side. I've had countless instances of hearing the dispaired cries of "AIM is down" from throughout my dorm without having a problem. TOC goes down occasionally, but not nearly as much, from my experience.

as for clients, i recommend Gaim for Linux. You can select the TOC protocol in the Account Editor window.

<asbestos>yes, i know there's a million things that Oscar can do that TOC can't. but I don't care. TOC just works better from my experience, especially when clients have to release new versions to work around AOL changing the Oscar protocol slightly in order to screw over MS.</asbestos>

Heh... first hack...

[tcc (140386)]

Change that annoying incomming Email .wav file...

"You've got nailed"

Best PR Spin

[VivianC (206472)]

This has got the best PR response I've ever seen to one of these holes:

From the Washington Post Story [washingtonpost.com]

A security hole in AOL Time Warner's Instant Messenger program used by millions of users worldwide can let a hacker take full control of a victim's computer, according to security researchers and the company.

An AOL spokesman said the problem will be fixed soon, and users won't have to download anything.

Great idea! Why make the user download and test a patch? We can just use this hole that gives us full control of a vitim's computer...

w00w00?

[fobbman (131816)]

"The non-profit security team w00w00.org..."

Oh, so the 1337 are going the non-profit route? Nice to see that they are going somewhat legit here, but are we going to see mass-defacement support drives once a month looking for donations, a la PBS? Are they going to only release their best exploits during these fund drives? And how much do I have to donate to get reach the benefactor level where I get the "Bill Gates unrestricted Amex card" number as a gift of thanks?

More importantly, did Microsoft "give generously" during the "Here's how to hack AIM" episode of "Sesame Street"?

"Today's Sesame Street was brought to you by the letters M, S, N, and the number 1."

Check out this quote...

[VValdo (10446)]

from USAToday [usatoday.com]:

Russ Cooper, who moderates a popular security mailing list and works for security firm TruSecure, said Conover's actions are irresponsible. "I think it's better to provide details of the exploit and then let other people write the actual code," Cooper said. "Unfortunately, these are fundamentally naive people with a very childish view of the world."

Hmm. Anyone else sense a little hostility from the for-profit [trusecure.com] security industry...?

Re:Ouch...

[madenosine (199677)]

From the website:

"this does not affect the non-Windows versions"

Re:Ouch...

[Hiro Antagonist (310179)]

Had you read the article, you would know the answer to this is "no":

This does not affect the non-Windows versions, because the non-Windows versions currently do not yet support the feature that this vulnerability occurs in.

(Taken from the article).

Re:Ok...

[neema (170845)]

This is under the mindset that the people who read this will actually be using the exploit, rather then defending themselves from it, which is how I read it. As a user on AIM, I find it very helpful that it was released so that in the one or two days it takes to patch this, I don't get fucked over.

Re:Warnings

[Havokmon (89874)]

One of ICQ's was a login buffer overflow. Basically if you used licq or a NON-Mirabilis version, you could login as anyone just by using a password longer than 15 chars (IIRC).

Ok so I used it once to send two of my coworkers homo "I like to watch your ass" emails from each other...

Re:Irresponsible!

[GigsVT (208848)]

They did wait, AOL ignored them.

We contacted the AOL Instant Messenger group but never received a
response. Normally we would be inclined to provide a fix, but it is
illegal to reverse engineer the AIM executable (DMCA and AIM's license
agreement to thank), so we are unable to provide a patch which will
modify it. Instead, we recommend Robbie Saunder's AIM Filter
(http://www.ssnbc.com/wiz/) to protect yourselves.

Please get the full story before you post shit.