AOL AIM Instant Messenger Buddy Icon "ateimg32.dll" DoS
Release Date: June 6, 2005
Date Reported: June 6, 2005
Severity: Medium? (if you can exploit it, email me. ;-])
Vendor: AOL
Systems Affected:
AIM 5.9.3797 for Windows 98/ME/2K/XP (5.96 MB) and all prior versions.
Affected Platforms:
# Windows
Overview:
A denial of service (its on the heap) vulnerability exists within the AOL AIM instant messenger. Here is a description of AIM from the vendor:
"Enjoy the convenience of using your AIM screen name as your e-mail address-and take advantage of new and improved features, like: ΓΆΒΆ Spam and Anti-Virus Protection: Industry-leading security tools help keep your mailbox free of annoying junk mail and harmful viruses."
Security? Anti-Virus? nice... ;-]
Technical Details:
The vulnerability exists within the GIF parser in "ateimg32.dll". Below are the details regarding this flaw:
The vulnerable exists within the GIF parser. You can see at the adress 12081BDB, they set ebx with an argument supplied in the last arugment:
.text:12081BDB mov ebx, [esp+arg_C]
.text:12081BDF test ebx, ebx
.text:12081BE1 jbe short loc_12081C1A
.text:12081BE3 mov ecx, [esp+arg_8]
.text:12081BE7 push esi
.text:12081BE8 push edi
.text:12081BE9 mov edi, [esp+8+arg_4]
Here is what the function declaration would look like:
unk_func(
struct aim_1 *arg_0,
struct aim *arg_4,
char *dest_buff,
int obj_cnt)
{
The last argument is a count. This routine appears to copy each entry out until is done. Each iteration fo the loop obj_cnt is subtracted by one. At 12081C13 you can see the dec ebx:
.text:12081C13 dec ebx
.text:12081C14 mov ecx, esi
.text:12081C16 jnz short loc_12081BED
.text:12081C18 pop edi
.text:12081C19 pop esi
This is basiclly a obj_cnt--; then you see the jnz. This means that the counter isnt zero, then it jumps back up and does it again. Which would kind of look like this:
while(1)
{ ...
memcpy(...);
...
obj_cnt--; //decrement counter
if(!obj_cnt) //equal to zero
break; //leave loop
}
Now if the obj_cnt argument is zero, is when we have the problem. When you subtract 1 from 0 you get -1. ;-] So, if im correct -1 is really 0xFFFFFFFF. So it only can can set 0-1=0xFFFFFFFF chunk, where per chunk is only 30 bytes. ;-(
If you want to crash a remote host which is runnin the AIM client, use the following .gif file as your buddy icon in Trillian and message a friend which is using the AIM client:
http://security-protocols.com/poc/aim-DoS-.gif
Or, you can reproduce this problem just by using this buddy icon in AIM locally.
Vendor Status:
Im sure they will be releasing a patch very shortly.
Credit:
Tom Ferris
Greetings: chico the dog, connie, acidjazz, , hugo the puto, jim beam, mike, flashsky, regulate, 011ie, mike in .mx, riley, modify, dmuz (call it a truce?), ae, marc, and the rest of the eEye family.
Copyright (c) 2006 Security-Protocols, LLC
Spread the word:
