Home › Forums › Archives › Instant Messaging › AIM Support › Advisory: AIM Away Message Buffer Overflow
- This topic has 6 replies, 4 voices, and was last updated 19 years, 8 months ago by Someguy03.
-
AuthorPosts
-
August 10, 2004 at 12:07 am #8977CharlesMemberQuote:quote:Secunia Advisory: SA12198 Print Advisory
Release Date: 2004-08-09Critical: Highly critical
Impact: System access
Where: From remoteSoftware: AOL Instant Messenger 5.x
Description:
Ryan McGeehan has reported a vulnerability in AOL Instant Messenger (AIM), which potentially can be exploited by malicious people to compromise a user’s system.The vulnerability is caused due to a boundary error within the handling of “Away” messages and can be exploited to cause a stack-based buffer overflow by supplying an overly long “Away” message (about 1024 bytes). A malicious website can exploit this via the “aim:” URI handler by passing an overly long argument to the “goaway?message” parameter.
Successful exploitation may allow execution of arbitrary code on a user’s system when e.g. a malicious website is visited with certain browsers.
The vulnerability has been confirmed in version 5.5.3595. Other versions may also be affected.
NOTE: Various other issues were also reported, where a large amount of resources can be consumed on a user’s system.
Solution: The vendor was contacted but has not responded.
Use another product.
Provided and/or discovered by:
Ryan McGeehan and Kevin Benes, TheBillyGoatCurse.com.Please note: The information, which this Secunia Advisory is based upon, comes from third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
Recommended Alternative: Trillian
August 10, 2004 at 12:33 am #74727Someguy03MemberAnother advisory that has to do with this. Some web sites are implementing a script that runs the “aim:goaway?message” several hundred times. It usually either crashes AIM or freezes your computer, but will say something embrassing like “I love eric, I wan’t to do him” or something of the sort. The link for these sites are being past around so you can play jokes on friends. I would watch out.
August 10, 2004 at 12:45 am #74725DavidParticipantDon’t you love the AIM software? Secure, stable and bug-free. Damn, I love AOL.
We are past the beginning of the end…
August 10, 2004 at 9:13 am #74728Someguy03MemberI was reading more news on this, and AOL had announced that they would be releasing a new AIM beta on monday (It is now 1:04 AM tuesday) to fix the problem, so keep on the look out.
August 11, 2004 at 4:25 pm #74723Jeff HesterKeymasterAh,David hit it right the nail rite on the head!!!!
August 12, 2004 at 5:19 am #74724August 12, 2004 at 5:26 am #74726DavidParticipantNo need for two topics. Refer to the above link.
-
AuthorPosts
- The topic ‘Advisory: AIM Away Message Buffer Overflow’ is closed to new replies.