October 21st, 2003, 08:21 PM
Buffer Overflow in AOL Instant Messager's screenname parameter of getfile
Forgive me if this has already been posted..i did a search and didn't find anything :p
Advisory: Digital Pranksters
When AOL Instant Messenger (AIM) is installed, it installs the "aim" protocol handler. This protocol allows AIM to be loaded by arbitrary web pages by including an "aim:operation?parameter".
One of the operations is named "getfile". This operation takes a parameter named "screenname". The "getfile" operation is used to retrieve a file from another user. When the operation is invoked, the user is warned about retrieving files. If the user clicks "OK" the file is normally sent to the requesting user. The warning dialog can be disabled by choosing "Don't ask me again!".
A buffer overflow exists in the "screenname" parameter. The overflow allows an attacker to take control of EIP. The overflow allows arbitrary execution on the victim's machine.
October 21st, 2003, 09:03 PM
Is that damage perminent? because I am gonan try it on myself lol
[EDIT] I cant get it to work, I think because my version of aim is to new.[/EDIT]
October 21st, 2003, 09:32 PM
old news. the patch was released sept 25, but i guess that would still make many |users still vulnerable
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
October 22nd, 2003, 08:08 PM
sorry for the old news...i did a search for articles about this, but didn't find any.
October 23rd, 2003, 01:26 AM
were u sucessful in doin it PM???
October 23rd, 2003, 02:27 AM
it sais u can include the aim:<parameter> in a webpage or something...even in profiles i've seen cuz u can put something like "clickhere" and the link will go to an IM box with ur screenname and some selected text...i've seen it done. But now when i wanna do it most it doesnt seem to do it. I'm using 5.2.3292. Even if they fixed the problem in that version they shouldnt have removed the ability to do place and click on links. Anyone know how to include the aim:<parameter> protocol in a webpage or anyhign for that matter? i should add that i've done it in my profile to get someone to IM u before but i dont have the link syntax anymore...any help anyone?