Vulnerability Note VU#907819
AOL Instant Messenger client for Windows contains a buffer overflow while parsing TLV 0x2711 packets
There is a remotely exploitable buffer overflow in AOL Instant Messenger (AIM). An exploit has been publicly released. AOL has implemented a server side fix that has largely eliminated the chances of widespread automated exploitation of the vulnerability, but targeted exploitation of specific clients may still be possible. Attackers that are able to exploit the vulnerability may be able to execute arbitrary code.
AOL Instant Messenger is a program for communicating with other users over the Internet. AIM is widely used (by over 100 million people). A buffer overflow exists in the AOL Instant Messaging Client for Windows. Information about the vulnerability and about AOL Instant Messenger in general is available from AOL Time Warner.
The problem occurs when parsing messages from another user inviting the victim to participate in a game. Specifically, the buffer overflow occurs while parsing of the Type, Length, Value (TLV) tuple with type 0x2711. Exploitation of the buffer overflow may allow a remote attacker to execute arbitrary code on the victim's system.
The vulnerability is not present in:
During normal operation, AIM clients exchange messages with one another through the AIM servers. The malicious message containing the type 0x2711 TLV must travel through the AIM servers in order to reach the victim client. On the morning of January 3, 2002, AOL modified the AIM server infrastructure to filter malicious messages that attempt to exploit this vulnerability, preventing it from being exploited through the most obvious mechanisms. The possibility of exploiting the vulnerability through man-in-the-middle attacks, DNS spoofing, network sniffing, etc. is still being investigated. In particular, the change to the servers has largely eliminated the chances of widespread automated exploitation of the vulnerability, but targeted exploitation of specific clients may still be possible.
Prior to the server side change, an attacker could remotely execute arbitrary code by sending malicious messages to the victim via the AIM messaging service. Attackers may still be able to compromise vulnerable versions of the client software in specific circumstances where the attacker has control of local DNS information, the ability to sniff your AIM session, or control of a proxy between the client and the AIM server.
Apply a Patch
Block AIM Authentication at the Firewall
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|AOL Time Warner||Affected||02 Jan 2002||03 Jan 2002|
CVSS Metrics (Learn More)
This vulnerability was discovered by Matt Conover (firstname.lastname@example.org).
This document was written by Cory F. Cohen.
- CVE IDs: CAN-2002-0005
- Date Public: 02 Jan 2002
- Date First Published: 03 Jan 2002
- Date Last Updated: 15 Jan 2002
- Severity Metric: 19.94
- Document Revision: 29
If you have feedback, comments, or additional information about this vulnerability, please send us email.