|
Brought to you by:
Suppliers of:
|
|
|
| |
| AOL Instant Messenger is "an instant messaging client developed by America Online". Remote exploitation of a buffer overflow vulnerability in America Online Inc.'s Instant Messenger (AIM) can allow attackers to execute arbitrary code. |
| |
Credit:
The information has been provided by iDEFENSE.
The original article can be found at: http://www.idefense.com/application/poi/display?id=121&type=vulnerabilities
|
| |
Vulnerable Systems:
* AOL Instant Messenger version 5.5
The vulnerability specifically exists due to insufficient bounds checking on user-supplied values passed to the 'goaway' function of the AOL Instant Messenger 'aim:' URI handler. A long message buffer will overwrite values stored on the stack and may be used to overwrite a Structured Exception Handler (SEH) pointer as shown below:
0012E634 45454545
0012E638 46464646
0012E63C 47474747
0012E640 484808EB Pointer to next SEH record
0012E644 41414141 SE handler
Control of the SEH pointer allows for eventual execution of arbitrary code.
Analysis:
Exploitation allows remote attackers to execute arbitrary code under the privileges of the user that instantiated the vulnerable version of AOL Instant Messenger. While AIM 5.5 and later has been compiled with Microsoft Visual Studio .NET 2003 and incorporates stack protection, iDEFENSE has confirmed that exploitation is still possible.
Workaround:
Exploitation of 'aim:' URI handler vulnerabilities can be prevented by removing the following key from the registry:
HKEY_CLASSES_ROOT\aim
The following script can be saved to a file with the .vbs extension and executed to automate the task of removing the relevant URI handler:
Set WshShell = CreateObject("WScript.Shell")
WshShell.RegDelete "HKCR\aim\"
Vendor Response:
iDEFENSE has been working with AOL since 07/12/2004 regarding this issue to allow the vendor time to implement a patch. However, on 08/09/2004 Secunia released an advisory as the same issue was discovered by another group of researchers. With the issue is now public; iDEFENSE is proceeding with public disclosure. AOL has provided the following statement:
"iDEFENSE, Inc. reported a buffer overflow vulnerability in all Windows versions of AOL Instant Messenger (AIM). The impact of this vulnerability could potentially allow for an attacker to execute malicious code on Windows platforms. Exploit of this vulnerability requires that an AIM user click on a malicious URL supplied in an instant message or embedded in a web page.
Affected Products and Applications
AOL Instant Messenger (AIM) for Windows - All known versions
Vendor Recommendations
1. America Online, Inc. recommends that Windows users of AIM upgrade to the latest beta version to be released on August 9, 2004. This new version of AIM addresses the vulnerability described herein and can be obtained via the AOL Instant Messenger portal, www.aim.com.
2. A workaround provided by iDEFENSE is available until users are able to upgrade to the new beta version.
Vendor Acknowledgments
Thanks to Matt Murphy and iDEFENSE, Inc. for their assistance to responsibly address this issue."
CVE Information:
CAN-2004-0636
Disclosure Timeline:
06/16/2004 Initial vendor contact
06/16/2004 iDEFENSE clients notified
07/07/2004 Secondary vendor contact
07/12/2004 Initial vendor response
08/09/2004 Coordinated public disclosure
|
|
|
|
|
