lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <FB24803D1DF2A34FA59FC157B77C97050313D391@idserv04.idef.com>
From: idlabs-advisories at idefense.com (idlabs-advisories@...fense.com)
Subject: iDEFENSE Security Advisory 08.09.04: AOL Instant Messenger
 aim:goaway URI Handler Buffer Overflow Vulnerability

AOL Instant Messenger aim:goaway URI Handler Buffer Overflow
Vulnerability

iDEFENSE Security Advisory 08.09.04
www.idefense.com/application/poi/display?id=121&type=vulnerabilities
August 9, 2004

I. BACKGROUND

AOL Instant Messenger is an instant messaging client developed by
America Online.

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in America Online
Inc.'s Instant Messenger (AIM) can allow attackers to execute arbitrary
code.

The vulnerability specifically exists due to insufficient bounds
checking on user-supplied values passed to the 'goaway' function of the
AOL Instant Messenger 'aim:' URI handler. A long message buffer will
overwrite values stored on the stack and may be used to overwrite a
Structured Exception Handler (SEH) pointer as shown below:

0012E634 45454545
0012E638 46464646
0012E63C 47474747
0012E640 484808EB Pointer to next SEH record
0012E644 41414141 SE handler

Control of the SEH pointer allows for eventual execution of arbitrary
code.

III. ANALYSIS

Exploitation allows remote attackers to execute arbitrary code under the
privileges of the user that instantiated the vulnerable version of AOL
Instant Messenger. While AIM 5.5 and later has been compiled with
Microsoft Visual Studio .NET 2003 and incorporates stack protection,
iDEFENSE has confirmed that exploitation is still possible.

IV. DETECTION

iDEFENSE has confirmed that AOL Instant Messenger, version 5.5, is
vulnerable. Previous versions are also suspected as vulnerable.

V. WORKAROUND

Exploitation of 'aim:' URI handler vulnerabilities can be prevented by
removing the following key from the registry:

HKEY_CLASSES_ROOT\aim

The following script can be saved to a file with the .vbs extension and
executed to automate the task of removing the relevant URI handler:

Set WshShell = CreateObject("WScript.Shell")
WshShell.RegDelete "HKCR\aim\"

VI. VENDOR RESPONSE

iDEFENSE has been working with AOL since 07/12/2004 regarding this issue
to allow the vendor time to implement a patch. However, on 08/09/2004 an
advisory was released by Secunia (http://secunia.com/advisories/12198/)
as the same issue was discovered by another group of researchers. With
the issue is now public, iDEFENSE is proceeding with public disclosure.
AOL has provided the following statement:

"iDEFENSE, Inc. reported a buffer overflow vulnerability in all Windows
versions of AOL Instant Messenger (AIM).  The impact of this
vulnerability could potentially allow for an attacker to execute 
malicious code on Windows platforms.  Exploit of this vulnerability
requires that an AIM user click on a malicious URL supplied in an
instant message or embedded in a web page.

Affected Products and Applications

AOL Instant Messenger (AIM) for Windows - All known versions

Vendor Recommendations

1. America Online, Inc. recommends that Windows users of AIM upgrade to
the latest beta version to be released on August 9, 2004. This new
version of AIM addresses the vulnerability described herein and can be
obtained via the AOL Instant Messenger portal, www.aim.com.

2. A workaround provided by iDEFENSE is available until users are able
to upgrade to the new beta version.

Vendor Acknowledgments

Thanks to Matt Murphy and iDEFENSE, Inc. for their assistance to
responsibly address this issue."

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004-0636 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

06/16/2004   Initial vendor contact
06/16/2004   iDEFENSE clients notified
07/07/2004   Secondary vendor contact
07/12/2004   Initial vendor response
08/09/2004   Coordinated public disclosure

IX. CREDIT

Matt Murphy is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@...fense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ