From idlabs-advisories@idefense.com Tue Aug 10 03:31:59 2004 From: idlabs-advisories@idefense.com To: idlabs-advisories@idefense.com Date: Mon, 9 Aug 2004 11:23:51 -0400 Reply-To: customerservice@idefense.com Subject: [Full-Disclosure] iDEFENSE Security Advisory 08.09.04: AOL Instant Messenger aim:goaway URI Handler Buffer Overflow Vulnerability AOL Instant Messenger aim:goaway URI Handler Buffer Overflow Vulnerability iDEFENSE Security Advisory 08.09.04 www.idefense.com/application/poi/display?id=121&type=vulnerabilities August 9, 2004 I. BACKGROUND AOL Instant Messenger is an instant messaging client developed by America Online. II. DESCRIPTION Remote exploitation of a buffer overflow vulnerability in America Online Inc.'s Instant Messenger (AIM) can allow attackers to execute arbitrary code. The vulnerability specifically exists due to insufficient bounds checking on user-supplied values passed to the 'goaway' function of the AOL Instant Messenger 'aim:' URI handler. A long message buffer will overwrite values stored on the stack and may be used to overwrite a Structured Exception Handler (SEH) pointer as shown below: 0012E634 45454545 0012E638 46464646 0012E63C 47474747 0012E640 484808EB Pointer to next SEH record 0012E644 41414141 SE handler Control of the SEH pointer allows for eventual execution of arbitrary code. III. ANALYSIS Exploitation allows remote attackers to execute arbitrary code under the privileges of the user that instantiated the vulnerable version of AOL Instant Messenger. While AIM 5.5 and later has been compiled with Microsoft Visual Studio .NET 2003 and incorporates stack protection, iDEFENSE has confirmed that exploitation is still possible. IV. DETECTION iDEFENSE has confirmed that AOL Instant Messenger, version 5.5, is vulnerable. Previous versions are also suspected as vulnerable. V. WORKAROUND Exploitation of 'aim:' URI handler vulnerabilities can be prevented by removing the following key from the registry: HKEY_CLASSES_ROOT\aim The following script can be saved to a file with the .vbs extension and executed to automate the task of removing the relevant URI handler: Set WshShell = CreateObject("WScript.Shell") WshShell.RegDelete "HKCR\aim\" VI. VENDOR RESPONSE iDEFENSE has been working with AOL since 07/12/2004 regarding this issue to allow the vendor time to implement a patch. However, on 08/09/2004 an advisory was released by Secunia (http://secunia.com/advisories/12198/) as the same issue was discovered by another group of researchers. With the issue is now public, iDEFENSE is proceeding with public disclosure. AOL has provided the following statement: "iDEFENSE, Inc. reported a buffer overflow vulnerability in all Windows versions of AOL Instant Messenger (AIM). The impact of this vulnerability could potentially allow for an attacker to execute malicious code on Windows platforms. Exploit of this vulnerability requires that an AIM user click on a malicious URL supplied in an instant message or embedded in a web page. Affected Products and Applications AOL Instant Messenger (AIM) for Windows - All known versions Vendor Recommendations 1. America Online, Inc. recommends that Windows users of AIM upgrade to the latest beta version to be released on August 9, 2004. This new version of AIM addresses the vulnerability described herein and can be obtained via the AOL Instant Messenger portal, www.aim.com. 2. A workaround provided by iDEFENSE is available until users are able to upgrade to the new beta version. Vendor Acknowledgments Thanks to Matt Murphy and iDEFENSE, Inc. for their assistance to responsibly address this issue." VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-0636 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 06/16/2004 Initial vendor contact 06/16/2004 iDEFENSE clients notified 07/07/2004 Secondary vendor contact 07/12/2004 Initial vendor response 08/09/2004 Coordinated public disclosure IX. CREDIT Matt Murphy is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright (c) 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html