Buffer Overflow in AOL Instant Messager's screenname parameter of getfile

Forgive me if this has already been posted..i did a search and didn't find anything :p

Quote:

---

When AOL Instant Messenger (AIM) is installed, it installs the "aim" protocol handler. This protocol allows AIM to be loaded by arbitrary web pages by including an "aim:operation?parameter".

One of the operations is named "getfile". This operation takes a parameter named "screenname". The "getfile" operation is used to retrieve a file from another user. When the operation is invoked, the user is warned about retrieving files. If the user clicks "OK" the file is normally sent to the requesting user. The warning dialog can be disabled by choosing "Don't ask me again!".

A buffer overflow exists in the "screenname" parameter. The overflow allows an attacker to take control of EIP. The overflow allows arbitrary execution on the victim's machine.

---

Advisory: Digital Pranksters

enjoy.

Is that damage perminent? because I am gonan try it on myself lol

[EDIT] I cant get it to work, I think because my version of aim is to new.[/EDIT]

old news. the patch was released sept 25, but i guess that would still make many |users still vulnerable

sorry for the old news...i did a search for articles about this, but didn't find any.

my bad. :dunce:

were u sucessful in doin it PM???

it sais u can include the aim:<parameter> in a webpage or something...even in profiles i've seen cuz u can put something like "clickhere" and the link will go to an IM box with ur screenname and some selected text...i've seen it done. But now when i wanna do it most it doesnt seem to do it. I'm using 5.2.3292. Even if they fixed the problem in that version they shouldnt have removed the ability to do place and click on links. Anyone know how to include the aim:<parameter> protocol in a webpage or anyhign for that matter? i should add that i've done it in my profile to get someone to IM u before but i dont have the link syntax anymore...any help anyone?