// back

AOL Instant Messenger aim:goaway URI Handler Buffer Overflow Vulnerability

08.09.04

BACKGROUND

AOL Instant Messenger is an instant messaging client developed by
America Online.

DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in America Online
Inc.'s Instant Messenger (AIM) can allow attackers to execute arbitrary
code.

The vulnerability specifically exists due to insufficient bounds
checking on user-supplied values passed to the 'goaway' function of the
AOL Instant Messenger 'aim:' URI handler. A long message buffer will
overwrite values stored on the stack and may be used to overwrite a
Structured Exception Handler (SEH) pointer as shown below:

0012E634 45454545
0012E638 46464646
0012E63C 47474747
0012E640 484808EB Pointer to next SEH record
0012E644 41414141 SE handler

Control of the SEH pointer allows for eventual execution of arbitrary
code.

ANALYSIS

Exploitation allows remote attackers to execute arbitrary code under the
privileges of the user that instantiated the vulnerable version of AOL
Instant Messenger. While AIM 5.5 and later has been compiled with
Microsoft Visual Studio .NET 2003 and incorporates stack protection,
iDEFENSE has confirmed that exploitation is still possible.

DETECTION

iDEFENSE has confirmed that AOL Instant Messenger, version 5.5, is
vulnerable. Previous versions are also suspected as vulnerable.

WORKAROUND

Exploitation of 'aim:' URI handler vulnerabilities can be prevented by
removing the following key from the registry:

HKEY_CLASSES_ROOTaim

The following script can be saved to a file with the .vbs extension and
executed to automate the task of removing the relevant URI handler:

Set WshShell = CreateObject("WScript.Shell")
WshShell.RegDelete "HKCRaim"

The AIM client will restore the HKEY_CLASSES_ROOTaim registry keys
upon initial execution provided that the user starting the application has
the appropriate registry permissions. In such cases, the workaround is
effective for only one session and must be re-applied upon the start of
a new session.

VENDOR RESPONSE

iDEFENSE has been working with AOL since 07/12/2004 regarding this issue
to allow the vendor time to implement a patch. However, on 08/09/2004 an
advisory was released by Secunia (http://secunia.com/advisories/12198/)
as the same issue was discovered by another group of researchers. With
the issue is now public, iDEFENSE is proceeding with public disclosure.
AOL has provided the following statement:

"iDEFENSE, Inc. reported a buffer overflow vulnerability in all Windows
versions of AOL Instant Messenger (AIM).  The impact of this
vulnerability could potentially allow for an attacker to execute
malicious code on Windows platforms.  Exploit of this vulnerability
requires that an AIM user click on a malicious URL supplied in an
instant message or embedded in a web page.

Affected Products and Applications

AOL Instant Messenger (AIM) for Windows - All known versions

Vendor Recommendations

1. America Online, Inc. recommends that Windows users of AIM upgrade to
the latest beta version to be released on August 9, 2004. This new
version of AIM addresses the vulnerability described herein and can be
obtained via the AOL Instant Messenger portal, www.aim.com.

2. A workaround provided by iDEFENSE is available until users are able
to upgrade to the new beta version.

3. The code fixes to AIM 5.5 to resolve the recent URL:goaway vulnerability
will be included in the next release of International versions due August 25.

Vendor Acknowledgments

Thanks to Matt Murphy and iDEFENSE, Inc. for their assistance to
responsibly address this issue."

CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004-0636 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

DISCLOSURE TIMELINE

06/16/2004    Initial vendor contact
06/16/2004    iDEFENSE clients notified
07/07/2004    Secondary vendor contact
07/12/2004    Initial vendor response
08/09/2004    Coordinated public disclosure

CREDIT

Matt Murphy is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

LEGAL NOTICES

Copyright © 2004 Verisign, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.