Buffer Overflow in AOL Instant Messager's screenname parameter of getfile
Results 1 to 6 of 6

Thread: Buffer Overflow in AOL Instant Messager's screenname parameter of getfile

  1. #1
    Senior Member
    Join Date
    Sep 2003
    Posts
    156

    Buffer Overflow in AOL Instant Messager's screenname parameter of getfile

    Forgive me if this has already been posted..i did a search and didn't find anything :p

    When AOL Instant Messenger (AIM) is installed, it installs the "aim" protocol handler. This protocol allows AIM to be loaded by arbitrary web pages by including an "aim:operation?parameter".

    One of the operations is named "getfile". This operation takes a parameter named "screenname". The "getfile" operation is used to retrieve a file from another user. When the operation is invoked, the user is warned about retrieving files. If the user clicks "OK" the file is normally sent to the requesting user. The warning dialog can be disabled by choosing "Don't ask me again!".

    A buffer overflow exists in the "screenname" parameter. The overflow allows an attacker to take control of EIP. The overflow allows arbitrary execution on the victim's machine.
    Advisory: Digital Pranksters

    enjoy.
    t.e.k.n.o.

  2. #2
    Is that damage perminent? because I am gonan try it on myself lol

    [EDIT] I cant get it to work, I think because my version of aim is to new.[/EDIT]

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    old news. the patch was released sept 25, but i guess that would still make many |users still vulnerable
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  4. #4
    Senior Member
    Join Date
    Sep 2003
    Posts
    156
    sorry for the old news...i did a search for articles about this, but didn't find any.

    my bad.
    t.e.k.n.o.

  5. #5
    Senior Member deftones12's Avatar
    Join Date
    Jan 2003
    Location
    cali forn i a
    Posts
    333
    were u sucessful in doin it PM???

  6. #6
    Senior Member deftones12's Avatar
    Join Date
    Jan 2003
    Location
    cali forn i a
    Posts
    333
    it sais u can include the aim:<parameter> in a webpage or something...even in profiles i've seen cuz u can put something like "clickhere" and the link will go to an IM box with ur screenname and some selected text...i've seen it done. But now when i wanna do it most it doesnt seem to do it. I'm using 5.2.3292. Even if they fixed the problem in that version they shouldnt have removed the ability to do place and click on links. Anyone know how to include the aim:<parameter> protocol in a webpage or anyhign for that matter? i should add that i've done it in my profile to get someone to IM u before but i dont have the link syntax anymore...any help anyone?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides