RE: Looking for a discussion on IM

[Kevin Lundy]

You know, I violated a cardinal rule of mine - don't post something if you can't back it up.  I did have a reference and now can't find it.  I did find a similar exploit in the Yahoo messenger.  I'm still pretty confident I did read about either a real attack via the icon, or at least a proof of concept, and I will keep looking for it.  Anyway, the below is an exploit against an IM, so it shows it is vulnerable.    From http://www.ca.com/virusinfo/encyclopedia/   Yahoo Pager/Messanger Buffer Overflow There is a buffer overflow problem with Yahoo Messenger that leaves the user vulnerable to remote attack. The problem arises due to a lack of appropriate bounds checking on the length of a URL that is received from another user inside a message. Unfortunately, due to this oversight, it is possible for unprivileged and possibly hostile remote users to execute arbitrary commands by overwriting the EIP (return address) and filling the URL with malevolent code. The hostile code could then be actioned when the unsuspecting target host clicks on the URL. -----Original Message----- From: Gordon W. Smith [mailto:[EMAIL PROTECTED]] Sent: Monday, September 24, 2001 9:07 AM To: NT System Admin Issues Subject: RE: Looking for a discussion on IM OUCH!  A virus in a smiley?  Tell me more!  I couldn't find anything about it. -----Original Message----- From: Kevin Lundy [mailto:[EMAIL PROTECTED]] Sent: Monday, September 24, 2001 7:50 AM To: NT System Admin Issues Subject: RE: Looking for a discussion on IM Two things come to immediate mind:   1) Many IM clients allow for file transfer.  Depending on your overall security policy this in itself can be an issue.  Even if you allow people to transfer files, the IM client then becomes a point of security control.  For example, with AIM, it is supposed to ask the user if it is ok if their chat partner sends them a file.  How long do you think it will be before hackers manage to bypass that "confirmation"?  Further, then they bad-guys could then just send a backdoor program to the hard disk.  Or just pick up sensitive data from the computer.   2) There has already been at least one IM based virus - done by embedding malicious code in an icon smiley face.  This becomes another area where the anti-virus vendors have to keep up.    I'm sure there are other reasons as well, those are just the 2 that come to my mind before finishing my first cup of coffee. -----Original Message----- From: Clark, Steve [mailto:[EMAIL PROTECTED]] Sent: Sunday, September 23, 2001 11:17 PM To: NT System Admin Issues Subject: Looking for a discussion on IM Hello,   I have been asked to research and potentially implement IM for a company to communicate internally as well as externally. However, I have always heard that IM was evil and to close it down ASAP. I would like to hear real world implementation concerns/ tips as well as the security issues associated.   Thanks in advance for your input.   Steve Clark Clark Systems Support, LLC AVIEN Charter Member "Who's watching your network?" www.clarksupport.com           301-610-9584 voice           240-465-0323 Efax   http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm