AOL Instant Messenger Advisory

AOL Instant Messenger Advisory

David Hulton – dhulton@nightfallsecurity.com
Nightfall Security Solutions, LLC – We break stuff, before they do.

The Problem
The AOL Instant Messenger program is widely used by many people on the internet as a form of communication. Unfortunately, when AOL first put together the AOL Instant Messenger program, they didn’t take security very seriously. The result is an extremely weak password encoding scheme. One can only imagine the amount of grief this can cause AOL if someone happened to be able to run an AOL IM password decoding program on a major router or source of traffic.

Top Read : Get All The Latest Nordvpn Deals to save 70% on This Top VPN Service

The Exploit
The passwords are encoded using a fixed array of digits that are xor’ed to each corresponding character within the original password to form an encoded string.

As we know, a xor can be easily reversed:

(let x = 5 and y = 9)

z = x xor y

x –
 00000101
– 5
y –
 00001001
– 9
xor
z –
 00001100
– 12

also allows you to find x if you only have z and y:

x = z xor y

z –
 00001100
– 12
y –
 00001001
– 9
xor
x –
 00000101
– 5

or y if you already have x and y:

y = x xor z

x –
 00000101
– 5
z –
 00001100
– 12
xor
y –
 00001001
– 9

Therefore, all you have to do is get an encoded password and a decoded password, then xor them to obtain the key. Or, for the same matter xor an encoded password and the key to obtain the decoded password.

This decoding method has been implemented in dsniff for aim’s toc protocol, but not for oscar.

The Keys
When you use this method you will see that the toc protocol uses a key that consists of the words “Tic/Toc” recurring. And the oscar protocol uses a static key that consists of the following (hex) digits:
0xf3, 0x26, 0x81, 0xc4, 0x39, 0x86, 0xdb, 0x92, 0x71, 0xa3, 0xb9, 0xe6, 0x53, 0x7a, 0x95, 0x7c.

The Code
I have implemented this scheme into a perl script which parses through an output file generated by ndump (a network dumping perl script). It is available for download and has been tested on Netscape AOL Instant Messenger Version 3.0N and GAIM v0.9.13 and works for both the toc and oscar aim protocols.

Credits

admin

leave a comment

Create Account



Log In Your Account