Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] AOL Instant Messenger aim:goaway URI Handler Buffer Overflow

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] AOL Instant Messenger aim:goaway URI Handler Buffer Overflow
Date: 10 Aug 2004 17:22:20 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  AOL Instant Messenger aim:goaway URI Handler Buffer Overflow
------------------------------------------------------------------------


SUMMARY

AOL Instant Messenger is "an instant messaging client developed by America 
Online". Remote exploitation of a buffer overflow vulnerability in America 
Online Inc.'s Instant Messenger (AIM) can allow attackers to execute 
arbitrary code.

DETAILS

Vulnerable Systems:
 * AOL Instant Messenger version 5.5

The vulnerability specifically exists due to insufficient bounds checking 
on user-supplied values passed to the 'goaway' function of the AOL Instant 
Messenger 'aim:' URI handler. A long message buffer will overwrite values 
stored on the stack and may be used to overwrite a Structured Exception 
Handler (SEH) pointer as shown below:

0012E634 45454545
0012E638 46464646
0012E63C 47474747
0012E640 484808EB Pointer to next SEH record
0012E644 41414141 SE handler

Control of the SEH pointer allows for eventual execution of arbitrary 
code.

Analysis:
Exploitation allows remote attackers to execute arbitrary code under the 
privileges of the user that instantiated the vulnerable version of AOL 
Instant Messenger. While AIM 5.5 and later has been compiled with 
Microsoft Visual Studio .NET 2003 and incorporates stack protection, 
iDEFENSE has confirmed that exploitation is still possible.

Workaround:
Exploitation of 'aim:' URI handler vulnerabilities can be prevented by 
removing the following key from the registry:
HKEY_CLASSES_ROOT\aim

The following script can be saved to a file with the .vbs extension and 
executed to automate the task of removing the relevant URI handler:
Set WshShell = CreateObject("WScript.Shell")
WshShell.RegDelete "HKCR\aim\"

Vendor Response:
iDEFENSE has been working with AOL since 07/12/2004 regarding this issue 
to allow the vendor time to implement a patch. However, on 08/09/2004 
Secunia released an advisory as the same issue was discovered by another 
group of researchers. With the issue is now public; iDEFENSE is proceeding 
with public disclosure. AOL has provided the following statement:

"iDEFENSE, Inc. reported a buffer overflow vulnerability in all Windows 
versions of AOL Instant Messenger (AIM). The impact of this vulnerability 
could potentially allow for an attacker to execute malicious code on 
Windows platforms. Exploit of this vulnerability requires that an AIM user 
click on a malicious URL supplied in an instant message or embedded in a 
web page.

Affected Products and Applications
AOL Instant Messenger (AIM) for Windows - All known versions

Vendor Recommendations
1. America Online, Inc. recommends that Windows users of AIM upgrade to 
the latest beta version to be released on August 9, 2004. This new version 
of AIM addresses the vulnerability described herein and can be obtained 
via the AOL Instant Messenger portal, www.aim.com.

2. A workaround provided by iDEFENSE is available until users are able to 
upgrade to the new beta version.

Vendor Acknowledgments

Thanks to Matt Murphy and iDEFENSE, Inc. for their assistance to 
responsibly address this issue."

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0636> 
CAN-2004-0636

Disclosure Timeline:
06/16/2004 Initial vendor contact
06/16/2004 iDEFENSE clients notified
07/07/2004 Secondary vendor contact
07/12/2004 Initial vendor response
08/09/2004 Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by  
<mailto:idlabs-advisories@idefense.com> iDEFENSE.
The original article can be found at:  
<http://www.idefense.com/application/poi/display?id=121&type=vulnerabilities> 
http://www.idefense.com/application/poi/display?id=121&type=vulnerabilities



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] AOL Instant Messenger aim:goaway URI Handler Buffer Overflow, SecuriTeam <=
Previous by Date:  [TOOL] Airpwn - 802.11b Injection Tool, SecuriTeam
Next by Date:  [EXPL] Ollydbg Format String Bug Exploit Code, SecuriTeam
Previous by Thread:  [TOOL] Airpwn - 802.11b Injection Tool, SecuriTeam
Next by Thread:  [EXPL] Ollydbg Format String Bug Exploit Code, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]