AOL Instant Messenger Leaves Users Vulnerable to Remote Attack

Reported December 12, 2000 by @Stake

VERSIONS AFFECTED

DESCRIPTION

A vulnerability has been identified in AOL Instant Messenger that lets a malicious attacker take over a remote machine. It is important to note that AOL Instant Messenger does not need to be enabled, only installed. An attacker can also exploit the vulnerability through  a malicious email or malicious Web sites, launching arbitrary commands.

When users install Instant Messenger, the software registers the URL protocol "aim:" as a hook into its executable.  This registration lets users publish their AOL screen name on a Web page, and viewers can then add each user's AOL screen name quickly and easily to a contact list, send an instant message, or perform other functions built into AOL Instant Messenger.

DEMONSTRATION

Multiple vulnerabilities have been identified, letting malicious users easily attack and take over target computers. One such overflow can be demonstrated by typing the following (provided by @Stake):

aim:goim?=+-restart

Another vulnerability can be demonstrated by typing the following (provided by @Stake):

aim:buddyicon?screenname=abob&groupname=asdf&Src=http://localhost/AAA (x 3000 characters)

VENDOR RESPONSE

The vendor has been contacted and has released an upgraded version 4.3.2229 dated 12/6/2000.

CREDITDiscovered by @Stake