AOL Desktop MiTM Remote File Write and Code Execution

If you know someone that still uses AOL, share the link!

Long story short, it may be long past the time to give it up…

http://rum.supply/2015/12/05/aol-desktop.html

AOL Desktop is “the all-in-one experience with mail, instant messaging, browsing, search, content, and dial-up connectivity”. It is the direct successor of the old Windows AOL clients from the 1990s.

Issues in AOL Desktop, version 9.8.1 and below, that have existed since 1993, can be exploited by an entity in a man-in-the-middle position to write files to disk and cause remote command execution.

FDO91 – “Form Definition Order” http://mazur-archives.s3.amazonaws.com/aol-files/fdo91/tutorial_faq.html

AOL: FDO stands for Form Definition Operator. AOL communicates using this programming language. For example, after clicking any icon or button in AOL, FDO code is sent by the AOL system and interpreted by your AOL to create a window. So, the FDO language is the language used to describe forms on the AOL client. This site has a focus on learning how to program in FDO and provides a surfeit of examples and tutorials for those who want to learn.

They use a compiled homegrown scripting language. No authentication is done on any packets sent, and the client will execute any FDO it is sent by the server.

Some FDO opcodes are interesting from an attacker’s perspective. The fm_* series of opcodes (the File Management protocol, 0x08xx), have existed since the very first version of AOL for Windows from 1993. This series of opcodes enables reading from and writing to disk.

The async_exec_app opcode (0x0d19) takes a string operand, and executes the command in that string. This opcode has existed since version 2.0 of AOL for Windows, from 1994.

Affected Versions

9.8.1 and below. It is not known whether the betas of 9.8.2 are affected.

Solution

Uninstallation of this software will prevent exploitation of these issues. The researchers cannot sanction any mitigations except to remove this software definitively from any affected devices.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s