Friday, November 19, 2021

AOL Exploits Bug in Own Software

Geoff Chappell (in 1999, via Hacker News):

In e-mail of dubious origin sent to security expert Richard M. Smith, it is alleged not only that the AIM client software has a so-called “buffer overflow” bug but also that AOL actually does use its knowledge of this bug to induce users’ machines, which are running the AIM client software, to execute code that is downloaded from the AIM server. AOL is said to do this as a way for the AIM server to distinguish AIM clients from MSN clients so that the latter may be denied service.

[…]

An ordinary, though certainly not necessary, effect of a program’s corrupting memory on its stack is that the program crashes some time later. The particular packet presented in the e-mail to support the allegations against AOL fits case 0013h but contains 0118h bytes of string data. This is too long and will indeed induce the AIM client to corrupt memory, as described above. However, the AIM client does not crash.

The reason is that the packet data, as received from the AIM server, is contrived so that the corruption of memory by the AIM client is carefully controlled. The buggy routine in the AIM client is made to “return” to an address at which it is known there will be the bytes for a call esp instruction (actually provided in the bitmap for an icon in the AIM.EXE resources). The effect of this instruction is to start executing some of the packet data.

Previously:

Update (2021-11-23): Sherief, FYI:

Check out the section titled “(s)elf-exploitation

Comments RSS · Twitter

Leave a Comment