Date: 1 Mar 2002 06:20:07 -0000
From: Brendan Butts <[email protected]>
To: [email protected]Subject: AOL Instant Messenger Servers Patched and...Un-Patched?
---AOL Instant Messenger Still Vulnurable to DoS
attack---
Author: Nemisis ([email protected])
Synopis-
After everything that has happened, with the game
invite crash, File Crash, Buddy List Crash, Etc. AOL
patched there AIM servers, to protect users against
these attacks and released new versions of instant
messenger. Sometime in the middle of January, you
could no longer use AIM Filter, or Nemisis AIM Suite,
to exploit these bugs. Upon execution of a Buddy List
Kill Attack with AIM Suite (a DoS attack that locks up
Windows AIM 4.7 and the first 4.8 beta with an overly
large buddylist) , your would recive..
'Error Code 14' from the server in your IM window.
AOL's server-side block of this bug protected the
target from having their client frozen. Now it seems
that they have given up there server-side block of this
kill, and it can once again be exploited. The newest
AIM beta 4.8.24.64 I belive is not vulnurable to this
attack.
Implications-
The problem is that when a user goes to
www.AIM.com to download AIM, they are not given
the chance out right to download the newest beta,
you have to dig around the site to find the beta
download page. Instead mass amounts of users are
downloading AIM 4.7, which is STILL vulnurable to the
Buddy Kill DoS attack. Why AOL fixed this problem
on the server-side, and then un-fixed I wont even
venture a guess on.
Fix-
For those who are wary to download any new Beta
versions of AIM from AOL (and arn't we all) there is
still the AIM Filter or Nemisis AIM Suite, alternative.
Which are both availble at
www.dreamscapeprod.com/nemisis
-
