SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Instant Messaging/IRC/Chat)  >   AOL Instant Messenger Vendors:   America Online, Inc.
AOL Instant Messenger (AIM) Heap Overflow May Let Remote Users Crash a Target User's AIM Client When the Target User Clicks on a URL
SecurityTracker Alert ID:  1005131
SecurityTracker URL:  http://securitytracker.com/id/1005131
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 24 2002
Impact:   Denial of service via network

Version(s): 4.8.2616 and prior versions
Description:   A heap overflow vulnerability was reported in AOL Instant Messenger (AIM). A remote user can cause the AIM client to crash.

Symantec (SecurityFocus) previously reported a heap overflow vulnerability in AOL Instant Messenger (AIM). According to the report, a remote user can cause a target user's AIM Windows client to crash by sending them a specially crafted URL. A remote user can apparently create a URL with 344 characters (such as space characters, which get converted to %20 by the client.

In this message, it is reported that the heap overflow resides in the "goim" handler and can be triggered via the "screenname" query string parameter. The vulnerability can reportedly be triggered when the target AIM clicks "Get Info" to request information on the buddy.

In a posting to their web site, SecurityFocus/Symantec credited <p0pt4rtz @ hotmail.com> with reporting the flaw, but they did not indicate that the original message is publicly available.

Impact:   A remote user may cause a target user's AIM client to crash when the target user takes action and clicks on a link.
Solution:   No solution was available at the time of this entry.
Vendor URL:  aim.aol.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  AOL Instant Messenger Heap Overflow


The previously reported AOL Instant Messenger heap overflow is restricted to
the "goim" handler.  The unchecked escaping is performed on the "screenname"
query string parameter.  The vulnerability is exploited when the user clicks
"Get Info" to request information on the buddy.

AIM dies with an access violation when trying to execute 0x656C6261.  As
there is nothing stored there, AIM faults and dies:

 EAX = 000000A0 EBX = 00000000 ECX = 00000003 EDX = 00A00000 ESI = 00C90A00
EDI = 010B3E90
 EIP = 656C6261 ESP = 0063F42C EBP = 6C696176 EFL = 00010206 CS = 017F DS =
0187 ES = 0187
 SS = 0187 FS = 2FAF GS = 0000 OV=0 UP=0 EI=1 PL=0 ZR=0 AC=0 PE=1 CY=0
 ST0 = +0.00000000000000000e+0000 ST1 = +0.00000000000000000e+0000
 ST2 = +0.00000000000000000e+0000 ST3 = +0.00000000000000000e+0000
 ST4 = +0.00000000000000000e+0000 ST5 = +1.95075000000000000e+0005
 ST6 = +4.30449203000000000e+0008 ST7 = +1.00000000000000000e+0000 CTRL =
027F STAT = 4020
 TAGS = FFFF EIP = 70CC8ECD CS = 017F DS = 0187 EDO = 70CC8E48

This vulnerability is really not a serious one, given the high level of user
interaction required for successful exploitation.  I tried to "spray" data
on the heap to overwrite other structures, but this proved useless.

"The reason the mainstream is thought
of as a stream is because it is
so shallow."
                     - Author Unknown

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC