[<prev] [next>] [day] [month] [year] [list]
Message-ID: <FB24803D1DF2A34FA59FC157B77C97050313D391@idserv04.idef.com>
From: idlabs-advisories at idefense.com (idlabs-advisories@...fense.com)
Subject: iDEFENSE Security Advisory 08.09.04: AOL Instant Messenger
aim:goaway URI Handler Buffer Overflow Vulnerability
AOL Instant Messenger aim:goaway URI Handler Buffer Overflow
Vulnerability
iDEFENSE Security Advisory 08.09.04
www.idefense.com/application/poi/display?id=121&type=vulnerabilities
August 9, 2004
I. BACKGROUND
AOL Instant Messenger is an instant messaging client developed by
America Online.
II. DESCRIPTION
Remote exploitation of a buffer overflow vulnerability in America Online
Inc.'s Instant Messenger (AIM) can allow attackers to execute arbitrary
code.
The vulnerability specifically exists due to insufficient bounds
checking on user-supplied values passed to the 'goaway' function of the
AOL Instant Messenger 'aim:' URI handler. A long message buffer will
overwrite values stored on the stack and may be used to overwrite a
Structured Exception Handler (SEH) pointer as shown below:
0012E634 45454545
0012E638 46464646
0012E63C 47474747
0012E640 484808EB Pointer to next SEH record
0012E644 41414141 SE handler
Control of the SEH pointer allows for eventual execution of arbitrary
code.
III. ANALYSIS
Exploitation allows remote attackers to execute arbitrary code under the
privileges of the user that instantiated the vulnerable version of AOL
Instant Messenger. While AIM 5.5 and later has been compiled with
Microsoft Visual Studio .NET 2003 and incorporates stack protection,
iDEFENSE has confirmed that exploitation is still possible.
IV. DETECTION
iDEFENSE has confirmed that AOL Instant Messenger, version 5.5, is
vulnerable. Previous versions are also suspected as vulnerable.
V. WORKAROUND
Exploitation of 'aim:' URI handler vulnerabilities can be prevented by
removing the following key from the registry:
HKEY_CLASSES_ROOT\aim
The following script can be saved to a file with the .vbs extension and
executed to automate the task of removing the relevant URI handler:
Set WshShell = CreateObject("WScript.Shell")
WshShell.RegDelete "HKCR\aim\"
VI. VENDOR RESPONSE
iDEFENSE has been working with AOL since 07/12/2004 regarding this issue
to allow the vendor time to implement a patch. However, on 08/09/2004 an
advisory was released by Secunia (http://secunia.com/advisories/12198/)
as the same issue was discovered by another group of researchers. With
the issue is now public, iDEFENSE is proceeding with public disclosure.
AOL has provided the following statement:
"iDEFENSE, Inc. reported a buffer overflow vulnerability in all Windows
versions of AOL Instant Messenger (AIM). The impact of this
vulnerability could potentially allow for an attacker to execute
malicious code on Windows platforms. Exploit of this vulnerability
requires that an AIM user click on a malicious URL supplied in an
instant message or embedded in a web page.
Affected Products and Applications
AOL Instant Messenger (AIM) for Windows - All known versions
Vendor Recommendations
1. America Online, Inc. recommends that Windows users of AIM upgrade to
the latest beta version to be released on August 9, 2004. This new
version of AIM addresses the vulnerability described herein and can be
obtained via the AOL Instant Messenger portal, www.aim.com.
2. A workaround provided by iDEFENSE is available until users are able
to upgrade to the new beta version.
Vendor Acknowledgments
Thanks to Matt Murphy and iDEFENSE, Inc. for their assistance to
responsibly address this issue."
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004-0636 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
06/16/2004 Initial vendor contact
06/16/2004 iDEFENSE clients notified
07/07/2004 Secondary vendor contact
07/12/2004 Initial vendor response
08/09/2004 Coordinated public disclosure
IX. CREDIT
Matt Murphy is credited with this discovery.
Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp
X. LEGAL NOTICES
Copyright (c) 2004 iDEFENSE, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@...fense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
Powered by blists - more mailing lists