COMMAND

    AOL Instant Messanger

SYSTEMS AFFECTED

    AIM 3.5.1856

PROBLEM

    Joe Testa found  following.  A  buffer overflow vulnerability  has
    been found to exist in the lastest build (3.5.1856) of AOL Instant
    Messanger (and possibly in older versions too).  In problem arises
    out of the  fact that proper  bounds checking is  not performed on
    the command line arguements given to  AIM.  This does not seem  to
    be a particularly lethal bug until you consider that AIM adds  its
    own "aim:" protocol to Internet Explorer and Netscape Navigator.

    AOL Instant  Messanger build  3.5.1856 (March  1st, 2000)  blindly
    accepts  arguements  passed  to  it,  without  caring to check its
    buffers for proper  space.  Ascii  values of arguement  characters
    are added to  0x20 first, then  leak into EBP  and EIP.   So, this
    *appears* to be exploitable, and anyone is invited out there  with
    spare time to make an attempt to do the exploit.


    To see a quick (and harmless) example, click

        <a href="aim:goim?screenname=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&message=EIP,+the+other+white+meat">here</a><br>.

    Any data passed  to AIM in  a link by  means of the  'screenname='
    field past the 244th character begins to overwrite EIP.

SOLUTION

    Vendor contacted.