RE: AOL Instant Messenger "Away" Message Buffer Overflow Vulnerability
Deleting the "HKEY_CLASSES_ROOT\aim" registry key is not a permanent
mitigation but a per-session change that has to be implemented every
time AOL Instant Messenger is instantiated. The reason for this is that
if the HKCR\aim key is missing when AIM is launched AIM will simply
recreate the key and thus the URL protocol.
If you want to mitigate against any use of the AIM protocol the most
viable approach is to implement a URL protocol handler to either filter
or disregard the data. You can read more about asynchronous pluggable
protocols in IE at
http://msdn.microsoft.com/workshop/networking/pluggable/overview/overvie
w.asp
If you want to simply disregard any data sent to the aim: URL protocol
you can implement the about: URL protocol handler which is located at
HKEY_CLASSES_ROOT\PROTOCOLS\Handler\about\CLSID
This REG_SZ value contains the data
"{3050F406-98B5-11CF-BB82-00AA00BDCE0B}" which points at MSHTML.DLL and
ensures that any data sent through the protocol will not be parsed by
its intended application. AIM doesn't have a URL protocol handler of its
own so you will have to create the keys yourself. This would be
equivelant to the following .reg file:
======= neuteraimurl.reg =======
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\aim]
"CLSID"="{3050F406-98B5-11CF-BB82-00AA00BDCE0B}"
======= neuteraimurl.reg =======
If you implement this registry change the aim URL protocol handler will
be neutered.
You can find a copy of this file at
http://www.pivx.com/research/freefixes/neuteraimurl.reg
Feel free to implement this registry fix as you see fit.
There are a lot of potentially dangerous URL protocols on any Windows
system (e.g., take a look at callto: or ldap:). You can locate all the
URL protocols on your system by searching through your registry for a
REG_SZ value called "URL Protocol" which is located under "HKCR\*\URL
Protocol". As an example, you can neuther the Shell protocol in a
similar manner.
End-node security solutions can help mitigate the risk of URL protocols
by filtering data and implementing the lacking input validation.
Qwik-Fix Pro is currently having several fixes developed that protect
against exploitation of not only the aim URL protocol but other
potentially malicious URL protocols as well. You can download a copy of
Qwik-Fix Pro at
http://www.pivx.com/qwikfix/
Regards
Thor Larholm
Senior Security Researcher
PivX Solutions
23 Corporate Plaza #280
Newport Beach, CA 92660
http://www.pivx.com
thor@xxxxxxxx
Stock symbol: (PIVX.OB)
Phone: +1 (949) 231-8496
PGP: 0x4207AEE9
B5AB D1A4 D4FD 5731 89D6 20CD 5BDB 3D99 4207 AEE9
PivX defines a new genre in Desktop Security: Proactive Threat
Mitigation.
<http://www.pivx.com/qwikfix>
-----Original Message-----
From: homicidal@xxxxxxxxx [mailto:homicidal@xxxxxxxxx]
Sent: Tuesday, August 10, 2004 1:12 PM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: AOL Instant Messenger "Away" Message Buffer Overflow
Vulnerability
THIS WAS NOT DISCOVERED BY ME.
Source: Secunia (http://secunia.com/advisories/12198/)
Description:
Ryan McGeehan has reported a vulnerability in AOL Instant Messenger
(AIM), which can be exploited by malicious people to compromise a user's
system.
The vulnerability is caused due to a boundary error within the handling
of "Away" messages and can be exploited to cause a stack-based buffer
overflow by supplying an overly long "Away" message (about 1024 bytes).
A malicious website can exploit this via the "aim:" URI handler by
passing an overly long argument to the "goaway?message" parameter.
Successful exploitation allows execution of arbitrary code on a user's
system when e.g. a malicious website is visited with certain browsers.
The vulnerability has been confirmed in version 5.5.3595. Other versions
may also be affected.
NOTE: Various other issues were also reported, where a large amount of
resources can be consumed on a user's system.
Solution:
The vendor has contacted Secunia and recommends that users install a
beta version, which addresses the vulnerability, or remove support for
the "aim:" URI handler by deleting the "HKEY_CLASSES_ROOT\aim" registry
key.
A new non-beta version is forthcoming.
Provided and/or discovered by:
The vulnerability was discovered independently by the following around
the same time:
1) Ryan McGeehan and Kevin Benes, TheBillyGoatCurse.com.
2) Matt Murphy