#############################[yayo.org]#######################################

1. #############################[yayo.org]###################################
2. ###########[yayo.org]#####################################################
3. ## ##
4. ## [+] vulnerable software: aim express 7.0 ##
5. ## [+] discovered by: pad aka padillac escobar ##
6. ## ##
7. ## [+] capabilities: bumping, password scrambling, account suspension ##
8. ## [+] discovered on: 08/20/08 ##
9. ## [+] partially patched on: 09/09/08 ##
10. ## ##
11. ## [+] notes: a few people have been asking for an explanation as to ##
12. ## how i have been able to bump, reset and suspend aims ##
13. ## over the past 22 days, but as i have been helping aol ##
14. ## patch the exploit, i concluded that it would be ##
15. ## unethical to fully disclose details of how it is done ##
16. ## until the hole had begun being patched, and now ##
17. ## that it has been, i invite you to read this text and ##
18. ## learn the full details behind it all. yes, i'm aware ##
19. ## that "aol hacking" is an art now considered as dead as ##
20. ## it is lame, but in my defense this hole took me no ##
21. ## longer than 10 minutes to discover. ##
22. ## ##
23. ###########[yayo.org]#####################################################
24. #############################[yayo.org]###################################
25.  
26. i coded an application entitled "padillac's aim bump v1" to do all
27. of this work for me, but here are the technical details behind it:
28.  
29. equip yourself with the packet sniffer of your choice
30. (wireshark, live http headers for firefox, etc) and navigate to the
31. new aim express 7.0 page
32. http://o.aolcdn.com/aim/gromit/gm/aim_express/080815.1/WidgetMain.html
33. sign in with an active aim screen name and wait for the response
34. data which includes your unique "aimsid" key, and will look
35. something like this: 001.34576232342.2073485731:example, "example"
36. is where your screen name would show up.
37.  
38. using aim express, send an instant message to your target.
39. even if your target has privacy settings enabled and you are unable to
40. send the instant message, he/she is now vulnerable to your attack.
41.  
42. send the following to api.oscar.aol.com on port 80 numerous times
43.  
44. GET /im/reportSPIM?f=amf3&aimsid=[aimsid-here]&r=1&t=[target-here]&spimType=abuse&spimEvent=user HTTP/1.0
45. Host: api.oscar.aol.com
46.  
47.  
48. see spimType=abuse? that's right, we're exploiting their "report"
49. feature for instant message spam and abuse. at this point in your
50. aim express session the "report" button will be disabled, but that
51. doesn't stop us from submitting abuse reports directly to the server.
52.  
53. there are two submission options for spimType, "spimType=spim" and
54. "spimType=abuse". if your target has not sent you an instant message,
55. sending the above header with "spimType=spim" will return this error:
56.  
57. Target not allowed. The evilee had not previously acted on the eviler.
58.  
59. but when we select "spimType=abuse" this error does not occur.
60. it appears some of aol's developers forgot the harsh reality
61. that for someone to "abuse" someone else over aol instant messenger,
62. they must first send an abusive instant message to that person.
63.  
64. now that we have submitted a number of abuse reports to aol, the
65. next time our target sends an instant message to anyone, be it you
66. or the queen of england, he/she will receive the following error message:
67. "your screen name has been signed on from another location"
68. he/she will be bumped offline immediately, and unable
69. to sign back on for 1 to 5 minutes.
70.  
71. i was capable of suspending and/or password scrambling aim accounts with
72. this flaw by targeting the same person over and over again. changing the
73. &r=1 value to &r=2, &r=3, &r=4 and so on after each abuse report
74. submission. aim express 7.0 causes the "r=" value to raise 1 digit per
75. abuse submission, but to my knowledge limits you to only 2 abuse report
76. submissions per session. directly submitting these abuse report headers
77. to the server bypasses this limitation.
78.  
79. and if you're curious, "disgust" was suspended (unsuspended now), "dianaz",
80. "anything" and "bangin" were password scrambled.
81.  
82. thanks for reading.
83.  
84. love,
85. pad