FROM THE OFFICES OF:
______         ______             _____      _       _ _ _                           
|  ___|        | ___ \           |_   _|    | |     | | (_)                          
| |_ ___   ___ | |_/ / __ _ _ __   | | _ __ | |_ ___| | |_  __ _  ___ _ __   ___ ___ 
|  _/ _ \ / _ \| ___ \/ _` | '__|  | || '_ \| __/ _ \ | | |/ _` |/ _ \ '_ \ / __/ _ \
| || (_) | (_) | |_/ / (_| | |    _| || | | | ||  __/ | | | (_| |  __/ | | | (_|  __/
\_| \___/ \___/\____/ \__,_|_|    \___/_| |_|\__\___|_|_|_|\__, |\___|_| |_|\___\___|
                                                            __/ |  
                                                           |___/

        AOL Instant Messenger DoS (Denial of Service) exploit.

***********************************************
*Website:                *
*  http://home.cyberarmy.com/fbi/        *
*  soon to be http://www.foobarintel.com *
*Email:                *
*  decss@home.com            *
*Phone:                *
*  410-399-4172            *
***********************************************
The purpose of this file is for educational purposes only, we simply wish to inform the community about an issue in AOL 
Instant Messenger. This file is not to be used for any malicious purposes.

Credits:
  Slog403 - Initial Discovery, text work.
  Graphix - Most of the testing, text work.


Tested:   
  AIM 4.0 Latest Build as of 6/16/00 (4.0.1957)
  AIM 4.0.1904


Exploit:
  The exploit crashes AIM, but ONLY in Windows2000 Professional (We assume it also effects the other win2k variants). 
Win95/98/98SE are safe.  We did not even bother with Win3.1x 

  The bug in the program comes about when one user (We will call the user Foo for now) attempts to send a file to 
another user (which we will refer to as Bar).  When Foo tries to send the file to Bar, Bar's aim crashes.  Bar does not 
even see any indication that Foo has attempted to send a file, or anyone has attempted to send a file for that matter.


Cause: 
  This has something to do with the file name %20a%5fa%20a%20a%20Ca%5fa%27s.mp3. We tried changing name to 
%20a%5fa%20a%20a%20Ca%5fa%20s.mp3 thinking the %27 was the cause of the crash, this is not the case. We thought that maybe %20C causes the crash, possibly the uppercase C causes some oddity, these also proved not to be it. Simply the amount of html in the file name may cause this resettling in the crippling of aim. Still not sure. Aim source is not open source, cannot dive into it there. Hopefully AOL will release the source code soon and we'll be able to hunt down the bug. Interesting enough though, by taking off one of the 20s so the file so it is now called %20a%5fa%20a%20a%20Ca%5fa%.mp3 it doesn't crash.

   That takes the %20 count down from 5 to 4. We tried 5 straight %20's then 4, that didn't work. We then proceeded to strip the file name of ALL letters and only left %20%5%20%20%20%5%20.mp3. Result, no crash. The AIM interpretation of these characters is listed bellow, along with the error messages, and the combinations that we have tried. This does not happen with only the mp3 file format. We have also tested this with the txt file format, yielding identical results to those of the mp3s. 

Crash & No Crash:
  %20a%5fa%20a%20a%20Ca%5fa%27s.mp3  Crashes
  %20a%5fa%20a%20a%20Ca%5fa%20s.mp3  Crashes
  %20a%5fa%20a%20a%20ca%5fa%20s.mp3  Crashes
  %20a%5fa%20a%20a%20ca%5fa.mp3    Doesn't Crash
  %20a%5fa%20a%20a%20ca%5fa%.mp3    Doesn't Crash
  %20%20%20%20.mp3      Doesn't Crash
  %20%20%20%20%20.mp3      Doesn't Crash
  %20%5%20%20%20%5%20.mp3      Doesn't Crash
  %20%5%20%20%20%5%27.mp3      Doesn't Crash
  %20a%5fa%20a%5fa.mp3      Doesn't Crash


The Error Messages:
  Windows:
    The instruction at "0x77e36c39" referenced memory at "0x00000004". The memory could not be "read".
  MSVC++ 6.0 Debug:
    Unhandeled exception in aim.exe (USER32.DLL): 0xC0000005:Access Violation.
  AIM interprets:
    %20a%5fa%20a%20a%20Ca%5fa%27s%20a%20a%20a%27%20a%20a%2d%5f05
            as
    afaaa                   ?afa                           aaa%20aa15008672f05.mp3
    

In The End:
  We believe the cause of this bug/DoS is due to the length of the file name, with the added in structure of the HTML. We will continue to research this to track down the exact bug. We hope that AOL and their development team realize the severity of this issue, and we look forward to working with them to resolve this issue.  We also hope that they realize the benefit that a GPL/GNU type license would have in this situation. A whole community of people would be able to hunt down the problem here resulting in a better product for all if it were under this type of license.


AOL and AOL Instant Messenger are trademarks of America Online Inc.

(C) Copyright 2000 FooBar Intelligence Inc., All Rights Reserved.