Vulnerability Development mailing list archives
Buffer overflow in AIM 3.5.1856
From: jst3290 () RITVAX ISC RIT EDU (Joe Testa)
Date: Sun, 19 Mar 2000 10:58:42 -0800
[ Overview ] A buffer overflow vulnerability has been found to exist in the lastest build (3.5.1856) of AOL Instant Messanger (and possibly in older versions too). In problem arises out of the fact that proper bounds checking is not performed on the command line arguements given to AIM. This does not seem to be a particularly lethal bug until you consider that AIM adds its own "aim:" protocol to Internet Explorer and Netscape Navigator. [ Details ] AOL Instant Messanger build 3.5.1856 (March 1st, 2000) blindly accepts arguements passed to it, without caring to check its buffers for proper space. I have not the time to write an exploit to demonstrate the existance of this bug beyond a reasonable doubt; ascii values of arguement characters are added to 0x20 first, then leak into EBP and EIP. So, this *appears* to be exploitable, and I invite anyone out there with spare time to make an attempt. To see a quick (and harmless) example, click <a href="aim:goim?screenname=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&message=EIP,+the+other+white+meat">here</a><br>. Any data passed to AIM in a link by means of the 'screenname=' field past the 244th character begins to overwrite EIP. [ Solution ] I do not know of any way to fix this problem besides installing the proper patch when it arrives. Trying to disable to 'aim:' protocol by removing the following registry keys/values: HKEY_CLASSES_ROOT\aim\(Default) HKEY_CLASSES_ROOT\aim\URL Protocol HKEY_CLASSES_ROOT\AIM.Protocol HKEY_CLASSES_ROOT\AIM.Protocol.1 ... does not work because AIM will restore the keys and values upon next execution. Renaming 'aim.exe' does not work, nor does renaming AIM's directory. On top of that, just plain watching your status bar before clicking each link doesn't work either, because a malicious attacker could mask the suspicious link URL with elementary JavaScript skills.... Any help with a temporary solution is greatly appreciated. [ Vendor Status ] America Online was notified a week and a half ago, but has not yet patched their software. ---------------------- Greets to @Stake/L0pht and the cDc. - Joe Testa (jst3290 () cs rit edu)
Current thread:
- Exploiting any network protocol with secondary data channels opened from the server Mikael Olsson (Mar 17)
- Re: Exploiting any network protocol with secondary data channelsopened from the server Blue Boar (Mar 18)
- Re: Exploiting any network protocol with secondary datachannelsopened from the server Mikael Olsson (Mar 19)
- Re: Exploiting any network protocol with secondary datachannelsopened from the server Mr. Pink (Mar 19)
- Re: Exploiting any network protocol with secondary datachannelsopened from the server Ralf-Philipp Weinmann (Mar 19)
- Re: Exploiting any network protocol with secondarydatachannelsopened from the server H D Moore (Mar 19)
- Re: Exploiting any network protocol with secondarydatachannelsopened from the server Ralf-Philipp Weinmann (Mar 20)
- Re: Exploiting any network protocol with secondary datachannelsopened from the server Mikael Olsson (Mar 19)
- Re: Exploiting any network protocol with secondary data channelsopened from the server Blue Boar (Mar 18)
- Buffer overflow in AIM 3.5.1856 Joe Testa (Mar 19)