[NT] AOL Instant Messenger aim:goaway URI Handler Buffer Overflow

From: SecuriTeam (support_at_securiteam.com)
Date: 08/10/04

  • Next message: SecuriTeam: "[EXPL] Ollydbg Format String Bug Exploit Code" 
    To: list@securiteam.com
Date: 10 Aug 2004 17:22:20 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      AOL Instant Messenger aim:goaway URI Handler Buffer Overflow
    ------------------------------------------------------------------------

    SUMMARY

    AOL Instant Messenger is "an instant messaging client developed by America
    Online". Remote exploitation of a buffer overflow vulnerability in America
    Online Inc.'s Instant Messenger (AIM) can allow attackers to execute
    arbitrary code.

    DETAILS

    Vulnerable Systems:
     * AOL Instant Messenger version 5.5

    The vulnerability specifically exists due to insufficient bounds checking
    on user-supplied values passed to the 'goaway' function of the AOL Instant
    Messenger 'aim:' URI handler. A long message buffer will overwrite values
    stored on the stack and may be used to overwrite a Structured Exception
    Handler (SEH) pointer as shown below:

    0012E634 45454545
    0012E638 46464646
    0012E63C 47474747
    0012E640 484808EB Pointer to next SEH record
    0012E644 41414141 SE handler

    Control of the SEH pointer allows for eventual execution of arbitrary
    code.

    Analysis:
    Exploitation allows remote attackers to execute arbitrary code under the
    privileges of the user that instantiated the vulnerable version of AOL
    Instant Messenger. While AIM 5.5 and later has been compiled with
    Microsoft Visual Studio .NET 2003 and incorporates stack protection,
    iDEFENSE has confirmed that exploitation is still possible.

    Workaround:
    Exploitation of 'aim:' URI handler vulnerabilities can be prevented by
    removing the following key from the registry:
    HKEY_CLASSES_ROOT\aim

    The following script can be saved to a file with the .vbs extension and
    executed to automate the task of removing the relevant URI handler:
    Set WshShell = CreateObject("WScript.Shell")
    WshShell.RegDelete "HKCR\aim\"

    Vendor Response:
    iDEFENSE has been working with AOL since 07/12/2004 regarding this issue
    to allow the vendor time to implement a patch. However, on 08/09/2004
    Secunia released an advisory as the same issue was discovered by another
    group of researchers. With the issue is now public; iDEFENSE is proceeding
    with public disclosure. AOL has provided the following statement:

    "iDEFENSE, Inc. reported a buffer overflow vulnerability in all Windows
    versions of AOL Instant Messenger (AIM). The impact of this vulnerability
    could potentially allow for an attacker to execute malicious code on
    Windows platforms. Exploit of this vulnerability requires that an AIM user
    click on a malicious URL supplied in an instant message or embedded in a
    web page.

    Affected Products and Applications
    AOL Instant Messenger (AIM) for Windows - All known versions

    Vendor Recommendations
    1. America Online, Inc. recommends that Windows users of AIM upgrade to
    the latest beta version to be released on August 9, 2004. This new version
    of AIM addresses the vulnerability described herein and can be obtained
    via the AOL Instant Messenger portal, www.aim.com.

    2. A workaround provided by iDEFENSE is available until users are able to
    upgrade to the new beta version.

    Vendor Acknowledgments

    Thanks to Matt Murphy and iDEFENSE, Inc. for their assistance to
    responsibly address this issue."

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0636>
    CAN-2004-0636

    Disclosure Timeline:
    06/16/2004 Initial vendor contact
    06/16/2004 iDEFENSE clients notified
    07/07/2004 Secondary vendor contact
    07/12/2004 Initial vendor response
    08/09/2004 Coordinated public disclosure

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:idlabs-advisories@idefense.com> iDEFENSE.
    The original article can be found at:
    <http://www.idefense.com/application/poi/display?id=121&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=121&type=vulnerabilities

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] Ollydbg Format String Bug Exploit Code"

    Relevant Pages