AIM forced behavior “issue”

by ~ July 16th, 2002. Filed under: articles.

Intro:

This article will describe an “issue” I have found with the the 4.7 version of the official AIM client. This”issue” involves the ability to automatically force an AIM client into performing various functions. This is achieved when the user loads a webpage created with specific code in the META HTTP-EQUIV=”refresh” html tag.

Testing has shown that this “issue” effects anyone running the 4.7 version of the official AIM client on win 9x, Me, XP, 2000, or the 4.5 version on Mac OS9/X. The AIM client available for Linux is not effected. The 4.8 windows client now gives you a warning as does the 5.0 Beta*. (Perhaps it effects others as well… NT?, CE? if you notice that it’s able to effect any of these or any others, email brian@mindflip.org and let me know so
I can update this list)

Discovering this “issue” has inspired me to stop using the official AIM client. I now use Trillian, http://www.trillian.cc which offers similar features while not being subject to
this “issue”.

Explanation ( how it works ):

On a whim I decided to send someone an AIM greeting card. On the last page of that process AOL goes ahead and pops up an AIM window with an IM going to the SN for the person you have specified to receive the card. The IM says something to the effect of “You’ve got a greeting, click here.” . Convenient, this way all you have to do is hit send and it will IM the person to let them know. This greeting card page poped up the window automatically, I didn’t have to click any links or OK anything, just load the page. That’s right kids, If AOL can pop up a new IM window automatically with a webpage, so can anyone else.

Viewing the source of that page showed me that there was code in the
META refresh tag…

<META HTTP-EQUIV=”refresh” CONTENT=4;
URL=aim:goim?screenname=mybuddy&message=buch_of_stuff_here>

Various lists exist all over the net explaining how to create AIM links. I had seen them before and looked at one again for reference. I derived the following link code, usually surrounded by <a href=” etc…, which adds a buddy list group and a series of biddies:

aim:addbuddy?listofscreennames=mindfliporg,mfliporb,mflipmax,
mflips0nic,mflipzorcon&groupname=mindfliporg

So by replacing their META HTTP-EQUIV=”refresh” code with my own…

<META HTTP-EQUIV=”refresh” CONTENT=0;URL=aim:addbuddy?
listofscreennames=mindfliporg,mfliporb,mflipmax,mflips0nic,
mflipzorcon&groupname=mindfliporg> (all on one line)

Once I let my test webpage load, which included the above line in the HTML, I managed to add a list of buddy’s and a group to my buddy list.

See it in action:

To determine if this issue effects you, make sure you are running AIM ( in some cases accessing this page launches the AIM client automatically ) and then visit the test page I have created. You don’t have to click this link to visit the page. You can copy paste the link into your favorite browser and hit enter.
( Please see warning below before visiting ):

http://www.mindflip.org/aimrefresh/index.html

WARNING: Just so you know ahead of time, viewing the web page in the above link will add a group called “mindfliporg” to your AIM buddy list list along with some mindfliporg member screen names as shown in the above example, feel free to delete this group and buddy’s at any time afterward. You can also just leave them there and IM us if we are ever on ;).

Potential Evil Uses ( why this is an “issue” to me and should be to you ):

As with all findings like this, there is always the potential for exploitation. I suggest you do not go down that road. If you do, I nor mindflip are responsible for what occurs.

Using the same method one can:

  • Register a new user to that aim client and make that user attempt to logon now.
  • Launch and force users to join any chat room.
  • Set the buddy icon.
  • Automatically fetch a file from another AIM user ( will show warning unless it has been disabled ).

All a person would have to do is check out the list of available “aim:” links and use a little imagination. With the use of a little javascript OnLoad() one could potentially force many behaviors with one page load.

  • Think advertising… visit my corporate website and all of the sudden you have a branded buddy list.
  • Think automatic direct connection…
  • Start thinking about doing away with that AIM client with the “issue”.

Comments? Questions? email brian@mindflip.org

* Thanks to Fett for the Mac and Win Me information. Thanks to Bob @ InstantMessagingPlanet.com for the info about 5.0 Beta

External:
US-CERT/NIST: Vulnerability Summary CVE-2002-2169
Security Focus: AOL Instant Messenger Unauthorized Actions Vulnerability
Press Coverage: AOL’s AIM Forces the Issue

Brian

Comments are closed.