AIM Remote File Transfer/Direct Connection Vulnerability

Type securityvulns
Reporter Securityvulns
Modified 2002-04-23T00:00:00


AIM Remote File Transfer/Direct Connection


I Discovered this vulnerability while I was port

scanning my brother(April 15th, 2002), he just

happened to send me a file and the port scan

connected and received the file instead of me... The

next day(April 16th, 2002) I made a program to exploit

the vulnerability. This is how the vulnerability works....

When AIM gets a connection request or tries to

connect to someone else it acts as a server, the

program I made rapidly tries to connect to the target

IP(every 450 milliseconds) on port 4443(Direct

Connection) and 5190(File Transfer) it then intercepts

the connection and steals whatever data the target

sends, they can receive text from their "friends" but

they cannot send it because all data they send gets

sent to you, I don't know the Oscar protocol, but I'm

sure that if you where to use it, you could send text

back to the IM as the "friend" or maybe as a fake

screen name, this could be used to trick the person

into giving you passwords or personal information,

even if the person just happened to send something

like "passwords.txt" to their "friend", you now have

those passwords.

The fix:

I think a fix would be simple, have AIM only connect to

the IP of the person they are trying to connect to

which would be retrieved by the AIM server(s), I

wouldn't doubt there being ways to exploit this

also..but it's a start.

A temporary way to protect from the file transfer spy

would be to change the port in the AIM preferences

dialog for file transfer to something other than 5190, it

would be pretty hard for someone to guess what port

you changed it to.

Data you could potentially "steal":

pictures, files, text, passwords, movies, personal

information, etc...

Well that concludes this article..., if you have any

questions or comments please feel free to contact


(One last note: I am still fixing bugs and trying

different things with the program, but when I am

happy with it, I will post it on my site, it is called

RAFTS which stands for Remote AIM File Transfer


-Joseph Musso a.k.a. Sil

aim screen name: xlsillx