CERT/CC Vulnerability Note VU#907819

Overview

There is a remotely exploitable buffer overflow in AOL Instant Messenger (AIM). An exploit has been publicly released. AOL has implemented a server side fix that has largely eliminated the chances of widespread automated exploitation of the vulnerability, but targeted exploitation of specific clients may still be possible. Attackers that are able to exploit the vulnerability may be able to execute arbitrary code.

Description

AOL Instant Messenger is a program for communicating with other users over the Internet. AIM is widely used (by over 100 million people). A buffer overflow exists in the AOL Instant Messaging Client for Windows. Information about the vulnerability and about AOL Instant Messenger in general is available from AOL Time Warner.

The problem occurs when parsing messages from another user inviting the victim to participate in a game. Specifically, the buffer overflow occurs while parsing of the Type, Length, Value (TLV) tuple with type 0x2711. Exploitation of the buffer overflow may allow a remote attacker to execute arbitrary code on the victim's system.

The following versions are vulnerable:

AIM for Windows, version 1.0 - 3.0.1415
AIM for Windows, version 4.3.2229 and greater (4.8.2616 is the latest beta version)

The vulnerability is not present in:

Non-windows versions of the client
AIM client integrated into Netscape version 6
Internal buddy list in the AOL client

During normal operation, AIM clients exchange messages with one another through the AIM servers. The malicious message containing the type 0x2711 TLV must travel through the AIM servers in order to reach the victim client. On the morning of January 3, 2002, AOL modified the AIM server infrastructure to filter malicious messages that attempt to exploit this vulnerability, preventing it from being exploited through the most obvious mechanisms. The possibility of exploiting the vulnerability through man-in-the-middle attacks, DNS spoofing, network sniffing, etc. is still being investigated. In particular, the change to the servers has largely eliminated the chances of widespread automated exploitation of the vulnerability, but targeted exploitation of specific clients may still be possible.

Impact

Prior to the server side change, an attacker could remotely execute arbitrary code by sending malicious messages to the victim via the AIM messaging service. Attackers may still be able to compromise vulnerable versions of the client software in specific circumstances where the attacker has control of local DNS information, the ability to sniff your AIM session, or control of a proxy between the client and the AIM server.

Solution

Apply a Patch

Update to AIM version 4.8.2646, which contains the code patch to resolve this problem. Contact your vendor for additional information.

Block AIM Authentication at the Firewall

Blocking connections to login.oscar.aol.com on port 5190/tcp may prevent users on the local network from authenticating to the AIM server. This may be sufficient to prevent the vulnerability from being exploited.

Block Untrusted Messages

AIM permits the user to only accept messages from known peers. By enabling this feature, you may be able to prevent the vulnerability from being exploited. Note that you may still be vulnerable to attacks that originate from known peers if the vulnerability is exploited in a worm like fashion.

Vendor Information

907819

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

AOL Time Warner Affected

Notified: January 02, 2002 Updated: January 03, 2002

Status

Affected

Vendor Statement

America Online Security Advisory

Post date: January 3, 2002

Subject: Buffer Overflow Vulnerability in AOL Instant Messenger for Windows

Problem:

Mitigation:

Vulnerable Versions:

AIM software containing the buffer overflow:

Unaffected software:

All AIM clients for non-Windows platforms would not have been affected. Additionally, the AIM client integrated with the Netscape 6 browser would not have been vulnerable. AOL members using the internal AOL Buddy List in the AOL client would not have been affected.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was discovered by Matt Conover (shok@dataforce.net).

This document was written by Cory F. Cohen.

Other Information

CVE IDs:	CVE-2002-0005
Severity Metric:	19.94
Date Public:	2002-01-02
Date First Published:	2002-01-03
Date Last Updated:	2002-01-16 00:06 UTC
Document Revision:	29

Software Engineering Institute

CERT Coordination Center

AOL Instant Messenger client for Windows contains a buffer overflow while parsing TLV 0x2711 packets

Vulnerability Note VU#907819

Overview

Description

Impact

Solution

Vendor Information

AOL Time Warner Affected

Status

Vendor Statement

Vendor Information

Addendum

CVSS Metrics

References

Acknowledgements

Other Information

Contact CERT/CC