Clan x86

Technical (Development, Security, etc.) => General Security Information => Topic started by: Screenor on December 19, 2005, 11:51:02 AM

Title: New FireFox/AIM Exploit?
Post by: Screenor on December 19, 2005, 11:51:02 AM
Well, browsing the myg0t forum as I do daily, someone posted something I found actually really interesting, just wanted some comfirmation on it of some sort.

http://forums.myg0t.com/showthread.php?p=289027#post289027
Title: Re: New FireFox/AIM Exploit?
Post by: Ergot on December 19, 2005, 12:58:34 PM
You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:

   1. You are not logged in. Fill in the form at the bottom of this page and try again.
   2. You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
   3. If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.
Title: Re: New FireFox/AIM Exploit?
Post by: Newby on December 19, 2005, 01:03:14 PM
100% agreed with Ergot. Mind copying/pasting it here, or taking a screenshot of it, scr33n0r?
Title: Re: New FireFox/AIM Exploit?
Post by: iago on December 19, 2005, 02:42:31 PM
I have seen nothing about this in recent news, so it's probably not true. 

Plus, I make it a point not to trust any website that has a '0' in its name.  I have my reasons!

All that's happened lately is new IIS, Excel, and PHPMyAdmin vulnerabilities, but those have new ones every week, so no worries there. 
Title: Re: New FireFox/AIM Exploit?
Post by: Screenor on December 19, 2005, 04:32:48 PM
Original Post:
Quotemyg0t owned me -_-
Dont know why.... but I got a pm on AIM from MAKONG OF myg0t saying:

MAKONG of myg0t (4:01:58 AM): www.****s.org
MAKONG of myg0t (4:02:01 AM): Fucking Owns makong
S o a d L i n k (4:02:26 AM): hmmm get a life?
MAKONG of myg0t (4:02:49 AM): ****s > Makong
S o a d L i n k (4:03:01 AM): blocked = you

So then i blocked him... cause i never talked to him before... but i did click on that link, and it opened in firefox.

Then I get that message on aim a minute later: "you screenname has been logged in to 2 locations"... and i thought oh shit -_-

And he pms me from my own screen name:

S o a d L i n k (4:07:36 AM): Block me now
S o a d L i n k (4:07:42 AM): www.****s.org
S o a d L i n k (4:08:06 AM): :D

And he had already changed my password -_-

So is this an aim exploit? firefox exploit? I never typed my password... all I did was goto that website in firefox... i didnt browse it or anything, just went, and closed my browser a minute later. My password is saved in the aim login screen though.

Just wondering if I could get my aim account back, or how he got my password -_- im sorry for pissing you off for whatever i did.

(Makong is a member of myg0t)

However, he later replied with this:

QuoteWell, normally I'd take responsibility for this. I didn't do it. Someone hacked my aim screenname as well. Good thing none of my passwords are the same. It's some little kid with a new exploit. Now they have a few foul aim screennames I hardly ever use. GG

The website that was spammed to the guy in the first post (I assume) is www.g00ns.net, myg0t blanks out 'g00n' though, as you can see.


Now, the thing that brought it to my attention was, I know Makong, and normally when he does something, he wants full credit for the evil little deed he did, which is why I figured I'd ask around here as to find out maybe what this bug is, and possibly how to avoid it.
Title: Re: New FireFox/AIM Exploit?
Post by: Joe on December 19, 2005, 06:25:15 PM
It obviously does something client-side, I'll see if I can find anything funky in the page source code.

I'm going to have to call BS, though. I don't really think its possible.
Title: Re: New FireFox/AIM Exploit?
Post by: Quik on December 20, 2005, 02:32:53 AM
If you have "save my password" checked for the AIM client, the SHA-1 (iirc) hash is located in registry.

Not that I think this is anything but made up, of course. Kiddies.
Title: Re: New FireFox/AIM Exploit?
Post by: iago on December 20, 2005, 03:12:35 AM
I doubt AIM SHA-1's the password.  When it does the actual login, it needs to retrieve the password so it can encrypt/hash it when it's sent, and I doubt AOL is smart enough to double-hash it :)
Title: Re: New FireFox/AIM Exploit?
Post by: Quik on December 20, 2005, 03:26:07 AM
Quote from: iago on December 20, 2005, 03:12:35 AM
I doubt AIM SHA-1's the password.  When it does the actual login, it needs to retrieve the password so it can encrypt/hash it when it's sent, and I doubt AOL is smart enough to double-hash it :)

It's either SHA-1 or md5, IIRC it's stored SHA-1 in registry.
Title: Re: New FireFox/AIM Exploit?
Post by: Nate on December 20, 2005, 08:32:26 PM
I know AIM supports some limited use of HTML but is it even possible to open a new window?
Title: Re: New FireFox/AIM Exploit?
Post by: Screenor on December 21, 2005, 08:57:44 AM
Quote from: Nate on December 20, 2005, 08:32:26 PM
I know AIM supports some limited use of HTML but is it even possible to open a new window?
"opening a new window" has nothing to do with this topic..in any way.
Title: Re: New FireFox/AIM Exploit?
Post by: Nate on December 22, 2005, 05:40:06 PM
Never mind i thought it said he did not click on the link and it opened in Firefox.
Title: Re: New FireFox/AIM Exploit?
Post by: ink on February 14, 2006, 03:26:34 PM
Sounds like he was either using an outdated version of firefox which was vulnerable to remote code execution, which gave the other guy access or possibly he was already infected but had either dialup or dsl so the other guy had to get him to goto a website to obtain the new ip since dialup and dsl are both dynamic