April 26th, 2006, 01:22 AM
AIM Direct Connect vulnerabilities?
Ok. Let's say that my computer is competely ok, as far as I know... no viruses, no malware, nothing that shouldn't be on it.
Now, let's say that when I'm chatting with a buddy on AIM, and that buddy decides to direct connect with me, most likely for image insertion into the IM, what kinds of risks am I susceptible to?
I'm saying this knowing full well the person I'm DCing with is trustworthy. What I'm worried about is if my buddies computer is compromised in some way. I mean, it only seems logical that I'm at risk, too. I'm guessing this really is no different than having a port (or port range) out in the open and not secured, right? What can I be at risk for? Are attacks like this common?
April 26th, 2006, 11:15 AM
When you have a direct connection of any kind, obviously you have two endpoints that are now networked. Drop down to a command prompt whe you DC with your pal and do a netstat -an and you'll see your connection table with a listing for your buddy.
That said, AIM's "security" control for this is for you to accept whatever is being sent across the connection. Obviously this is a weak feature done at the application layer. What happens if I sneak something in the stream lower down in the stack?
To answer that, see a documented vulnerability that does just that and results in directory traversal and privilage aquisition.
For the lazy, here is a summary:
AOL Instant Messenger versions 4.8 beta and earlier could allow a remote attacker to create arbitrary files on a victim's system when using the "Direct Connection" feature. If a remote attacker is permitted to use the "Direct Connection" feature, the attacker can send a specially-crafted file that would be created in a directory specified by the attacker. The attacker would specify the directory in which the file is created by using '..\..' character sequences in the SRC parameter to traverse directories on the system. This would allow the attacker to perform future related attacks against the user.
Bottom line: Be VERY careful when accepting connections. There is nothing that says I can't write something and plant a logic bomb on your buddy's machine that only fires when it sees DCCs or AIM direct connections.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden