SecurityvulnsSECURITYVULNS:DOC:2311Windows AIM Client Exploits
i have generated a list of exploits that can be used to
cause an illegal operation on windows aim clients
- Comment Crash - anyone remember that neat little
exploit that involved a large amount of html comment
headers "<!-- "? to fix it they configured the server to
ignore instant messages over 2550 characters
instead of the previous 7950, making it seemingly
impossible to send the long string, but it turns out you
can send the full string in a chat invite message.
- Long Name Crashes - any kind of "extra" features
involving names (file names, game names, buddy list
names, etc.) can be used to crash the remote aim
client by sending an unusually long name (like 6000
#'s for example)
- Font Buffer Crash - by sending lots of different
fonts in an im or two you can fill up aim's recent font
name buffer which disables all "new" html codes (any
html header that the client hasn't already used in the
open im window). for example, links turn up as
normal text and new fonts are converted to the
default font. it seems aol miscoded something and
sending a horizontal line "<hr>" causes the client
crash after you fill up the font buffer
- Large Buddy Icon Crash - you can freeze
someone's computer for a short (or long) amount of
time by sending someone a small .gif file edited to be
very large (like 10,000x10,000) as a buddy icon
- Future Problems? - sending an invalid chat url in a
chat invite (like using two !'s instead of one) causes a
blank modal to pop up, sending the character – (150)
gives the remote aim a neat little font error, and you
can send image headers (and maybe images) in
game invites
i have updated my aim filter software to use and
block the above exploits, and it can be downloaded at
<all exploits were discovered by or largely contributed
to by robbie saunders>