Vulnerability Development mailing list archives
Buffer overflow in AIM 3.5.1856
From: jst3290 () RITVAX ISC RIT EDU (Joe Testa)
Date: Sun, 19 Mar 2000 10:58:42 -0800
[ Overview ]
A buffer overflow vulnerability has been found to exist in the lastest
build (3.5.1856) of AOL Instant Messanger (and possibly in older
versions too). In problem arises out of the fact that proper bounds
checking is not performed on the command line arguements given to AIM.
This does not seem to be a particularly lethal bug until you consider
that AIM adds its own "aim:" protocol to Internet Explorer and
Netscape Navigator.
[ Details ]
AOL Instant Messanger build 3.5.1856 (March 1st, 2000) blindly accepts
arguements passed to it, without caring to check its buffers for
proper space. I have not the time to write an exploit to
demonstrate the existance of this bug beyond a reasonable doubt; ascii
values of arguement characters are added to 0x20 first, then leak into
EBP and EIP. So, this *appears* to be exploitable, and I invite anyone
out there with spare time to make an attempt.
To see a quick (and harmless) example, click <a
href="aim:goim?screenname=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&message=EIP,+the+other+white+meat">here</a><br>.
Any data passed to AIM in a link by means of the 'screenname=' field
past the 244th character begins to overwrite EIP.
[ Solution ]
I do not know of any way to fix this problem besides installing the
proper patch when it arrives. Trying to disable to 'aim:' protocol by
removing the following registry keys/values:
HKEY_CLASSES_ROOT\aim\(Default)
HKEY_CLASSES_ROOT\aim\URL Protocol
HKEY_CLASSES_ROOT\AIM.Protocol
HKEY_CLASSES_ROOT\AIM.Protocol.1
... does not work because AIM will restore the keys and values upon
next execution. Renaming 'aim.exe' does not work, nor does renaming
AIM's directory. On top of that, just plain watching your status bar
before clicking each link doesn't work either, because a malicious
attacker could mask the suspicious link URL with elementary JavaScript
skills....
Any help with a temporary solution is greatly appreciated.
[ Vendor Status ]
America Online was notified a week and a half ago, but has not yet
patched
their software.
----------------------
Greets to @Stake/L0pht and the cDc.
- Joe Testa (jst3290 () cs rit edu)
Current thread:
- Exploiting any network protocol with secondary data channels opened from the server Mikael Olsson (Mar 17)
- Re: Exploiting any network protocol with secondary data channelsopened from the server Blue Boar (Mar 18)
- Re: Exploiting any network protocol with secondary datachannelsopened from the server Mikael Olsson (Mar 19)
- Re: Exploiting any network protocol with secondary datachannelsopened from the server Mr. Pink (Mar 19)
- Re: Exploiting any network protocol with secondary datachannelsopened from the server Ralf-Philipp Weinmann (Mar 19)
- Re: Exploiting any network protocol with secondarydatachannelsopened from the server H D Moore (Mar 19)
- Re: Exploiting any network protocol with secondarydatachannelsopened from the server Ralf-Philipp Weinmann (Mar 20)
- Re: Exploiting any network protocol with secondary datachannelsopened from the server Mikael Olsson (Mar 19)
- Re: Exploiting any network protocol with secondary data channelsopened from the server Blue Boar (Mar 18)
- Buffer overflow in AIM 3.5.1856 Joe Testa (Mar 19)