|
-
October 21st, 2003, 07:21 PM
#1
Senior Member
Buffer Overflow in AOL Instant Messager's screenname parameter of getfile
Forgive me if this has already been posted..i did a search and didn't find anything :p
When AOL Instant Messenger (AIM) is installed, it installs the "aim" protocol handler. This protocol allows AIM to be loaded by arbitrary web pages by including an "aim:operation?parameter".
One of the operations is named "getfile". This operation takes a parameter named "screenname". The "getfile" operation is used to retrieve a file from another user. When the operation is invoked, the user is warned about retrieving files. If the user clicks "OK" the file is normally sent to the requesting user. The warning dialog can be disabled by choosing "Don't ask me again!".
A buffer overflow exists in the "screenname" parameter. The overflow allows an attacker to take control of EIP. The overflow allows arbitrary execution on the victim's machine.
Advisory: Digital Pranksters
enjoy.
-
October 21st, 2003, 08:03 PM
#2
Is that damage perminent? because I am gonan try it on myself lol
[EDIT] I cant get it to work, I think because my version of aim is to new.[/EDIT]
-
October 21st, 2003, 08:32 PM
#3
old news. the patch was released sept 25, but i guess that would still make many |users still vulnerable
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
October 22nd, 2003, 07:08 PM
#4
Senior Member
sorry for the old news...i did a search for articles about this, but didn't find any.
my bad. 
-
October 23rd, 2003, 12:26 AM
#5
were u sucessful in doin it PM???
-
October 23rd, 2003, 01:27 AM
#6
it sais u can include the aim:<parameter> in a webpage or something...even in profiles i've seen cuz u can put something like "clickhere" and the link will go to an IM box with ur screenname and some selected text...i've seen it done. But now when i wanna do it most it doesnt seem to do it. I'm using 5.2.3292. Even if they fixed the problem in that version they shouldnt have removed the ability to do place and click on links. Anyone know how to include the aim:<parameter> protocol in a webpage or anyhign for that matter? i should add that i've done it in my profile to get someone to IM u before but i dont have the link syntax anymore...any help anyone?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
