[NT] AIM Remote File Execution Vulnerability

From: support@securiteam.com
Date: 10/26/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 26 Oct 2002 17:58:59 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  AIM Remote File Execution Vulnerability
------------------------------------------------------------------------

SUMMARY

AOL Instant Messenger has been found to contain a vulnerability that will
allow a remote attacker cause it to programs when a user clicks on a
not-so-specially crafted hypertext link.

DETAILS

Vulnerable systems:
 * AOL Instant Messenger 4.8.2790

Immune systems:
 * AOL Instant Messenger 4.7.2480
 * AOL Instant Messenger 5.0.2938

When a malicious user sends a link pointing to an executable file and a
victim clicks on said link, the file will be executed without any warning
prompts. The URL simply points to the filename. However, certain
characters are not allowed including spaces. Thus the attacker is limited
to running files on the same partition as the current directory and/or
system folders. Since an attacker doesn't know the current directory they
are likely to begin the URL with a few "../../../../" to get to the root
of the partition.
Spaces cannot be entered however this can be gotten around by using dos
filenames: i.e. "program files" becomes "progra~1". Here are a few
examples:

<a href = "notepad.exe">hi</a>
<a href ="../../../../progra~1/trojan/trojan.exe">www.google.com</a>
<a href ="../../../../you/get/the/point/exampl~1.exe">blah</a>

All of these examples would run the program specified if the victim were
to click on them.

Solution:
Upgrade or downgrade to any version of AIM other than 4.8.2790. Always
check hyperlink URLs before clicking on them.

ADDITIONAL INFORMATION

The information has been provided by <mailto:bludclot@hellokitty.com>
Blud Clot.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.