AIM Remote File Transfer/Direct Connection Vulnerability

2002-04-23T00:00:00
ID SECURITYVULNS:DOC:2829
Type securityvulns
Reporter Securityvulns
Modified 2002-04-23T00:00:00

Description

AIM Remote File Transfer/Direct Connection

Vulnerability

I Discovered this vulnerability while I was port

scanning my brother(April 15th, 2002), he just

happened to send me a file and the port scan

connected and received the file instead of me... The

next day(April 16th, 2002) I made a program to exploit

the vulnerability. This is how the vulnerability works....

When AIM gets a connection request or tries to

connect to someone else it acts as a server, the

program I made rapidly tries to connect to the target

IP(every 450 milliseconds) on port 4443(Direct

Connection) and 5190(File Transfer) it then intercepts

the connection and steals whatever data the target

sends, they can receive text from their "friends" but

they cannot send it because all data they send gets

sent to you, I don't know the Oscar protocol, but I'm

sure that if you where to use it, you could send text

back to the IM as the "friend" or maybe as a fake

screen name, this could be used to trick the person

into giving you passwords or personal information,

even if the person just happened to send something

like "passwords.txt" to their "friend", you now have

those passwords.

The fix:

I think a fix would be simple, have AIM only connect to

the IP of the person they are trying to connect to

which would be retrieved by the AIM server(s), I

wouldn't doubt there being ways to exploit this

also..but it's a start.

A temporary way to protect from the file transfer spy

would be to change the port in the AIM preferences

dialog for file transfer to something other than 5190, it

would be pretty hard for someone to guess what port

you changed it to.

Data you could potentially "steal":

pictures, files, text, passwords, movies, personal

information, etc...

Well that concludes this article..., if you have any

questions or comments please feel free to contact

me.

(One last note: I am still fixing bugs and trying

different things with the program, but when I am

happy with it, I will post it on my site, it is called

RAFTS which stands for Remote AIM File Transfer

Spy)

-Joseph Musso a.k.a. Sil

www.silenttech.com

aim screen name: xlsillx

email: sil@linuxquestions.net