Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
|
|
|
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
AOL Instant Messenger (AIM) May Disclose AIM Passwords to Remote Users in Certain Situations
|
Date: Feb 26 2002
|
Impact: Disclosure of authentication information
|
Exploit Included: Yes
|
Description: A password disclosure vulnerability was reported in AOL Instant Messenger (AIM). In certain situations, a remote user can obtain the AIM password of another AIM user.
A remote user can reportedly retrieve the password of AOL Instant Messenger screen names if the AIM screen name is registered to
the same [screenname]@aol.com address but the AOL account is no longer valid and not in AOL's system. It is reported that a [screenname]@aol.com
address might no longer be in AOL's system after 6 months past the date that the AOL account was cancelled or terminated.
The
steps necessary to trigger the flaw are provided in the Source Message.
The vulnerability appears to be due to a logic flaw in
AOL's systems (as opposed to an issue with the AIM client software).
The vendor has reportedly been notified.
|
Impact: A remote user can obtain the AIM password of another AIM user in certain situations.
|
Solution: No solution was available at the time of this entry.
The author of the report recommends that AIM users make sure their AIM screen name's email address isn't registered to its old [screenname]@aol.com address.
|
Vendor URL: www.aol.com/ (Links to External Site)
|
Cause: State error
|
Underlying OS: Windows (Any)
|
Reported By: Robert Lyttle <robert@SUB-SEVEN.COM>
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 24 Feb 2002 02:36:09 -0800
From: Robert Lyttle <robert@SUB-SEVEN.COM>
Subject: AOL/AOL Instant Messenger Vulnerability
|
AOL/AOL Instant Messenger Vulnerability
--------------------------------------------------------------------------------
Author: Robert Lyttle (robert@sub-seven.com)
Contributors: r0cky
Release Date: 02.24.02 - 2:00 AM
Disclaimer:
http://www.sub-seven.com and/or Robert Lyttle is not responsible for the misuse of the following info
rmation.
The below was executed against business associates with their express permission as proof of concept.
History:
This is the second significant public release of a hole within AOL's software, making it the 4th sign
ificant hole discovered in AOL
software since Jan 1, 2002. (w00w00, this one, and two other private vulnerabilities) In 1999, 2000,
and 2001 there were related
vulnerabilities against AOL Instant Messenger.
Summary:
It is possible to retrieve the password of AOL Instant Messenger screen names through the http://free
.aol.com, http://www.aol.com
and http://www.aim.com websites. This then leading to possible gain of other accounts such as FTP, e
-mail, and so on.
Susceptible to retrieving current password:
AOL Instant Messenger screen names that are registered to the same @aol.com address, but those that n
o longer exist in AOL's system
(Usually 6 months after cancellation/termination of account.) Example: We have an AOL Instant Messen
ger screen name "hi mom" that
is registered under the e-mail hi mom@aol.com - and since the hi mom@aol.com account is no longer in
AOL's system, it is vulnerable.
Susceptible to take-over, but without current password:
AOL Instant Messenger screen names that are not currently in AOL's system. Social Engineering require
d.
How:
-Visit http://free.aol.com
-At the first page enter in any information you desire. (Remember this information if you plan on soc
ial engineering your way in later.)
Now press continue.
-On the next page you will be asked for a screen name and password. Enter in an AOL Instant Messenger
screen name and password that
you own, that is NOT in AOL's system - Check the check box that says "Check here to use your AI
M name on AOL" Now press continue.
-On the next page you will be asked for billing information and a new browser window will pop up. Cli
ck the "I Agree" button in the
new browser window, it should close. Go back to the initial browser window and press the "Cance
l" link on the bottom left hand corner.
-On the next page you will be brought to a new screen that talks about Joining AOL without a credit c
ard. Now press continue.
The next 2 pages will be for verification -- Keep pressing "Continue" on the next 2 pages u
ntil you get to the page that asks for
another screen name and password.
If you've done this correctly you will be greeted with "Sorry, <thename> is taken" th
en asked to enter another screen name and password
as stated before. This is where you enter the screen name that you would like to retrieve the passwo
rd from. (If you enter a screen
name that is on AOL already, you will get error saying that it is already taken.) Other errors might
occur when trying certain screen
names, simply press the back button and try again.
So, say we enter "S7S Robert" and for the password field you would enter any password (DONT
FORGET IT, this will be used in the following
steps) Press the continue button and if the name was vulnerable you will be taken to a new page and
greeted with "Welcome to America
Online! Congratulations S7S Robert!" Now we have access to login to the http://www.aol.com AOLA
nywhere service with the account that
was just created.
-Now to retrieve the current password of S7S Robert, we visit http://www.aim.com and use the Lost Pas
sword feature found under Help.
Enter in the screen name of the password to be retrieved and press Submit.
-Visit http://www.aol.com to use AOLAnywhere and login to the account using the password you chose be
fore. You should have an e-mail
in there from AOL with the password to the screen name.
If you didn't receive an e-mail from the Lost Password feature, this means that the AOL Instant Messe
nger screen name was not registered
under the @aol.com address.
>From here an attacker could change the password to the AOL Instant Messenger screen name and also
try the same password against the
victims other accounts.(FTP, SSH, etc)
Testing:
To test this simply register an AOL Instant Messenger name at http://www.aim.com and when it asks for
the e-mail address to use, make
it the same as the screen name and append @aol.com. For instance, if I want to test with "S7S R
obert" I would enter the email address
S7S Robert@aol.com as well. Once you've done that, you can use the above directions and see that you
do not need the password used
in the screen name registration process to retrieve it.
Solution:
I've e-mailed AOL multiple times before this advisory and have yet to receive a reply, so hopefully t
hey are working on it. In the
mean time, just make sure your AOL Instant Messenger screen name's email address isn't registered to
its old @aol.com address.
- Robert Lyttle
- http://www.sub-seven.com
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by VeriSign - The Internet Trust Company
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Do you have 128-bit SSL encryption server security?
Get VeriSign's FREE Guide, "Securing Your Web Site for Business," and learn
everything you need to know about using 128-bit SSL to encrypt your
e-commerce transactions, secure your intranets and authenticate your Web
site. 128-bit SSL is serious security for your online business. Get it now!
http://www.verisign.com/cgi-bin/go.cgi?a=n094765650008000
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
|
|
Go to the Top of This SecurityTracker Archive Page
|
