When you have a direct connection of any kind, obviously you have two endpoints that are now networked. Drop down to a command prompt whe you DC with your pal and do a netstat -an and you'll see your connection table with a listing for your buddy.

That said, AIM's "security" control for this is for you to accept whatever is being sent across the connection. Obviously this is a weak feature done at the application layer. What happens if I sneak something in the stream lower down in the stack?

To answer that, see a documented vulnerability that does just that and results in directory traversal and privilage aquisition.

http://cve.mitre.org/cgi-bin/cvename...=CVE-2002-0591

For the lazy, here is a summary:

AOL Instant Messenger versions 4.8 beta and earlier could allow a remote attacker to create arbitrary files on a victim's system when using the "Direct Connection" feature. If a remote attacker is permitted to use the "Direct Connection" feature, the attacker can send a specially-crafted file that would be created in a directory specified by the attacker. The attacker would specify the directory in which the file is created by using '..\..' character sequences in the SRC parameter to traverse directories on the system. This would allow the attacker to perform future related attacks against the user.

Bottom line: Be VERY careful when accepting connections. There is nothing that says I can't write something and plant a logic bomb on your buddy's machine that only fires when it sees DCCs or AIM direct connections.

--TH13