Re: Cross Platform remote IM vulnerability / DOS

To: "Danslo@xxxxxxxxx" <Danslo@xxxxxxxxx>
Subject: Re: Cross Platform remote IM vulnerability / DOS
From: "Gavin Hanover" <netmunky@xxxxxxxxx>
Date: Fri, 17 Aug 2007 13:15:15 -0700
Cc: bugtraq@xxxxxxxxxxxxxxxxx
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=pscXrZc5or6ubCKojONGzVit+u//tsIwKbIHSOlGePFO3usaL0vossBnp+CLE1rI7PjnOo5pzWuFpZZRFxdaWevQBIEwpczfJ7n9N/pr/96NKOTlAq1SkRrlA1R0445UjpJYzZTJA1mlsujGEOy7Tzw1J+hIT/+WUXRi16sscfc=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=nvPAJzsdD7uCax1P4RjrVvxqEoQCVNhmxBXsTcu/PHif1W7g2lW5Jf/BMja6OeFQJe1ZJSeF0mJ+mU1YWcwIpfWGsdu1jUoECTXVPl9K1YDqAMkGrEQ476EH8azMEfvxtDIe+fj5yPUK33KZQL2/lZ5HmTzNuDCqNPaHn6tjfUc=
In-reply-to: <20070817190427.8835.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20070817190427.8835.qmail@xxxxxxxxxxxxxxxxx>

it's not sending back the same string at all. one starts with AAIC,
the other starts with AAIK and continues to be different.

it looks like it is simply using OTR plugin (available in both Adium and pidgin)
http://www.cypherpunks.ca/otr/Protocol-v2-3.1.0.html

On 17 Aug 2007 19:04:27 -0000, Danslo@xxxxxxxxx <Danslo@xxxxxxxxx> wrote:
> Forewarning, this has not been thoroughly tested, but it has been tested on 
> pidgin on several windows distros and on mac os X running Adium client. The 
> mac Adium client doesnt freeze up but is still vulnerable to the string and 
> repeats it back without the user seeing it occurring. Been very busy the last 
> few years and dont have time to followup or test this further, glad the list 
> still exist, apologies for the incompleteness. Use at your own risk, and 
> please don't use to pester others!
>
>
> There is a string of characters which when entered into an AIM conversation 
> window with another user will cause that user to repeat the same string of 
> characters back to you, at the least this could be used to eat up bandwidth. 
> The interesting thing about it is that when you send the instant message 
> containing the string the other party doesnt see that or their reply back to 
> you containing the same string, its totally invisible on the screen, you 
> could launch an attack on someone and it doesnt open a popup IM box, 
> transparent.
>
> ------------example--------------------
>
> userB: ok im going to send you the string, tell me if you receive anything in 
> the im window.
> userB: userA: 
> ?OTR:AAICAAAAxLWYQllUFJTneF0uBhdCjKyvAbB/q2HvyEG8nBmUlztLw0xe4DD50osCo4sTkCaH082Ii3ZZzMvMZJ4QERXLBKdEGH3p5x6TAuAyoyNP6jfpfVideQCeSZgOfBwY82iFeGLDyof7HN+H8ADWOb/KmwjnKQ3PWNWVtrWe+njsuDkdCRZaRUvwggsz1VLsG41gz5CxYrxpwNPEbfelQMoy6rFASf1lKNFvhHkMzvhQnRb2gAP2cXSizEfPJVTEEuwBhK5BqaUAAAAgl5zLWoOI7lQKjTXF3AhbRJguHc/VVEjXuyX950Zdf9I=.
> userA: 
> ?OTR:AAIKAAAAwIJFBPsSOhCvqu9uZJUZP6qkbMaONxAhy/lF2n4AixoRc4xNlwkHSSSqO1x5OKwTUd/Nx/xCuCjcvq42dHFj2ajkZXUKRC8NbyZDuw+2DmQZaKZMkm2N0JY7sRAwcW+vkJ2uybdCqs6YXHLbhlvvxkWoiZFrz5LlHFPtIgQG9PL8Tr5bvk2jztm5vE0V0r/V5r7ePoYo7c1vzBr/R+TMthy78MCwO/9pqVN0LIsgZ1SyUiDhDHfRIvAg2IuLOfvknA==.
> userB: see anything after I said window?
> userA: no
> userA: nothing
> -----------------------------------------
>
> At the least this causes the other machine to send out more packets than the 
> average user may have known of, with a little thinking and just as much 
> resources this could be used as a distributed denial of service attack.
>
> On the current version of pidgin when this was tested on several OS's it 
> often froze up the targets IM window for the duration of the attack and 
> sometimes the entire system performance suffers. While the attack was being 
> performed the IM window is non-usable.
>
> Side info: if you add or replace characters from the string and send it, it 
> will still work but the new characters dont get repeated back the same in the 
> string.
>
> Discovered by Dan Shinn <danslo@xxxxxxxxx>
> Testing by Rick Russel <noneck.net>
>


-- 
In God we trust,
Everyone else must have an x.509 certificate.

References:
- Cross Platform remote IM vulnerability / DOS
  - From: Danslo

Prev by Date: Re: iDefense Security Advisory 08.16.07: IBM DB2 Universal Database Multiple Race Condition Vulnerabilities
Next by Date: iDefense Security Advisory 08.16.07: IBM DB2 Universal Database Multiple File Creation Vulnerabilities
Previous by thread: Cross Platform remote IM vulnerability / DOS
Next by thread: Re: Cross Platform remote IM vulnerability / DOS
Index(es):
- Date
- Thread