search menu icon-carat-right cmu-wordmark

CERT Coordination Center

AOL Instant Messenger vulnerable to buffer overflow

Vulnerability Note VU#735966

Original Release Date: 2004-08-10 | Last Revised: 2004-08-31

Overview

A vulnerability in the AOL Instant Messenger (AIM) client could allow a remote attacker to execute arbitrary code on a victim system.

Description

AOL Instant Messenger (AIM) is an instant messaging system distributed by AOL Time Warner. A buffer overflow error exists in the way that some versions of the AIM client software handle AIM 'Away' messages. This error creates a vulnerability that can be exploited by remote attackers supplying overly long input to the goaway function of the aim: URI handler. Exploitation of this vulnerability requires an AIM user to click on a malicious URL supplied in an instant message or embedded in a web page.

Impact

An intruder may be able to execute arbitrary code on a vulnerable system. The intruder-supplied code would run with the privileges of the user running an instance of the vulnerable AIM client.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

Workarounds

AOL has published a bulletin (refer to the section titled "AOL Instant Messenger URI Handler Buffer Overflow") recommending the following workaround for this issue:

Exploitation of aim: URI handler vulnerabilities can be prevented by removing the following key from the registry:

HKEY_CLASSES_ROOT\aim

The following script can be saved to a file with the .vbs extension and executed to automate the task of removing the relevant URI handler:

Set WshShell = CreateObject("WScript.Shell")
WshShell.RegDelete "HKCR\aim\"

Note that this workaround is specific to users of the AIM client software for the Windows operating system. Users are strongly encouraged to apply this workaround until a patched version of the AIM client software is available.

Vendor Information

735966
 

AOL Time Warner Unknown

Updated:  August 09, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

The CERT/CC is aware of coincidental public disclosure of this issue by Secunia and iDefense. Secunia credits Ryan McGeehan and Kevin Benes for reporting this issue and iDefense credits Matt Murphy.

This document was written by Chad R Dougherty.

Other Information

CVE IDs: CVE-2004-0636
Severity Metric: 14.38
Date Public: 2004-08-09
Date First Published: 2004-08-10
Date Last Updated: 2004-08-31 21:08 UTC
Document Revision: 21

Sponsored by CISA.