AOL Instant Messenger (AIM) Heap Overflow May Let Remote Users Crash a Target User's AIM Client When the Target User Clicks on a URL
|
|
SecurityTracker Alert ID: 1005131 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Aug 24 2002
|
Impact: Denial of service via network
|
Version(s): 4.8.2616 and prior versions
|
Description: A heap overflow vulnerability was reported in AOL Instant Messenger (AIM). A remote user can cause the AIM client to crash.
Symantec (SecurityFocus) previously reported a heap overflow vulnerability in AOL Instant Messenger (AIM). According to the report,
a remote user can cause a target user's AIM Windows client to crash by sending them a specially crafted URL. A remote user can
apparently create a URL with 344 characters (such as space characters, which get converted to %20 by the client.
In this message,
it is reported that the heap overflow resides in the "goim" handler and can be triggered via the "screenname" query string parameter.
The vulnerability can reportedly be triggered when the target AIM clicks "Get Info" to request information on the buddy.
In
a posting to their web site, SecurityFocus/Symantec credited <p0pt4rtz @ hotmail.com> with reporting the flaw, but they did not
indicate that the original message is publicly available.
|
Impact: A remote user may cause a target user's AIM client to crash when the target user takes action and clicks on a link.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: aim.aol.com/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Windows (Any)
|
Reported By: "Matthew Murphy" <mattmurphy@kc.rr.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 23 Aug 2002 19:35:57 -0500
From: "Matthew Murphy" <mattmurphy@kc.rr.com>
Subject: AOL Instant Messenger Heap Overflow
|
The previously reported AOL Instant Messenger heap overflow is restricted to
the "goim" handler. The unchecked escaping is performed on the "screenname"
query string parameter. The vulnerability is exploited when the user clicks
"Get Info" to request information on the buddy.
AIM dies with an access violation when trying to execute 0x656C6261. As
there is nothing stored there, AIM faults and dies:
EAX = 000000A0 EBX = 00000000 ECX = 00000003 EDX = 00A00000 ESI = 00C90A00
EDI = 010B3E90
EIP = 656C6261 ESP = 0063F42C EBP = 6C696176 EFL = 00010206 CS = 017F DS =
0187 ES = 0187
SS = 0187 FS = 2FAF GS = 0000 OV=0 UP=0 EI=1 PL=0 ZR=0 AC=0 PE=1 CY=0
ST0 = +0.00000000000000000e+0000 ST1 = +0.00000000000000000e+0000
ST2 = +0.00000000000000000e+0000 ST3 = +0.00000000000000000e+0000
ST4 = +0.00000000000000000e+0000 ST5 = +1.95075000000000000e+0005
ST6 = +4.30449203000000000e+0008 ST7 = +1.00000000000000000e+0000 CTRL =
027F STAT = 4020
TAGS = FFFF EIP = 70CC8ECD CS = 017F DS = 0187 EDO = 70CC8E48
This vulnerability is really not a serious one, given the high level of user
interaction required for successful exploitation. I tried to "spray" data
on the heap to overwrite other structures, but this proved useless.
"The reason the mainstream is thought
of as a stream is because it is
so shallow."
- Author Unknown
|
|
