AIM Jacking Exploit
Discovered By:
Endo Mac Version. The Knight PC Version. O0O null password version.
Date:
Fall 1999
Patched:
March, 2000
Updated 2.8.01
This was the first AIM jacking exploit. Millions of AIM accounts were vulnerable and it was
reported
on nbc news and other large corporations.
Endo discovered this on the Mac in late 1999. The principle behind it was
fairly simple. You could create an AIM account as an AOL account without
having the password to the AIM. Once
thats done you could go to kw: AIM PASSWORD and change the AIM password to
the sn giving you control of the both the AOL and AIM screen
names.
On the PC there were actually 3 or 4 different ways of making the AIM on
AOL without the password. Several of these were found by The Knight. One
method was you would enter in the AIM screen name you wanted to jack along
with an invalid password. This would buffer the AIM sn on the AOL host
side. Then you could invoke the f1 token (32-6544) for a special AIM
password formand set the
password for the account. The AIM password form was normally used to
change the passwords to AIMs whose passwords were not a certain length.
There were serious flaws in the registration tokens which allowed this
password form to be used at any time during the registration before
clicking I Accept on the TOS Agree form.
Another method was you would go through the registration process like you
were going to create a new AOL account. After you have entered in billing
information and clicked I agree on the TOS Agree form. You would be at
the choose screen name form where you would invoke
f1 32-6538. This allowed you to choose a AIM Screen Name to create on
AOL, which would buffer the AIM sn. Once its buffered you would invoke f1
41-4557 which is the form that confirms the screen name you want. You
would use this form to get to the set password form. Once at the set
password form you would just make your password like you would if you were
creating an AOL account. Really this method was just creating a normal
account accept u would buffer an AIM sn and then invoke 41-4557 to get to
the password form, since you couldn't just invoke the password form
without confirming you're sn, if you tried you would be bumped offline.
However, the method which gained the most notoriety among hax0rs was the
Null password method refined by O0O. You would set the AIM screen name on
the host side buffer but you would never enter in a password. You would
enter billing information and then hit I Accept on the TOS Agree form.
This would create the account but no password would be set. Once this was
done you could call up AOL and get the password reset using the billing
information you just entered to make the account.
This exploit was totally patched in March 2000. AOL tried to put in
several token fixes for it in February but it wasn't until March that they
killed all methods of jacking AIMs. The token fixes AOL put into the
registration process were very widespread and managed to kill off another
exploit called the "dead cert" trick. This was some of the most extensive
token code fixes AOL has done in recent years.
Update:
Another method of doing this trick did not need any star tool and could be done by buffering stuff in the right order. The process was this:
1)insert cert
2)insert invalid aim
3)repeat steps 1 and 2 until the aim modal stays along w/ the cert window
4)insert cert to pull up a second aim modal
5)insert valid aim to pull billing info screen
6)call up the first aim modal and click next
7)re-enter cert, then put in the aim you want to jack w/ any pw
8)click next to set the aim sn (you'd get an error message)
9)continue w/ the already called billing info modal..
10)use account w/ the same pw as your valid aim
Contributed By:
O0O and Path
Addition:db
|
