SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#912659

AOL Instant Messenger vulnerable to denial-of-service attack via buddy list transfers

Overview

America Online's Instant Messenger (AIM) contains a remotely exploitable buffer overflow vulnerability.

I. Description

AOL Instant Messenger is a program for communicating with other users over the Internet and is widely used. During a buddy list transfer, a buffer overflow may occur. It has not been determined if this transfer happens via peer-to-peer, peer-to-server-to-peer, or both types of connections.

II. Impact

A denial-of-service situation is caused. It has not been determined if this vulnerability can lead to the remote execution of code.

III. Solution

Users can mitigate this vulnerability by upgrading AIM to version 4.8.2790 or higher. It is also reported that on March 14, 2002 AOL implemented server-side filtering to mitigate this vulnerability.

Block AIM Authentication at the Firewall

Blocking connections to login.oscar.aol.com on port 5190/tcp may prevent users on the local network from authenticating to the AIM server. This may be sufficient to prevent the vulnerability from being exploited.

Block Untrusted Messages

AIM permits the user to only accept messages from known peers. By enabling this feature, you may be able to prevent the vulnerability from being exploited. Note that you may still be vulnerable to attacks that originate from known peers if the vulnerability is exploited in a worm-like fashion.

Systems Affected

VendorStatusDate NotifiedDate Updated
AOL Time WarnerVulnerable13-Jun-2002

References


http://online.securityfocus.com/archive/1/259265

Credit

Our thanks to AOL Time Warner for their help in analyzing this vulnerability.

This document was written by Jason Rafail.

Other Information

Date Public:2002-03-01
Date First Published:2002-06-11
Date Last Updated:2002-06-19
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:0.23
Document Revision:12

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2002 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader