Multiple Vulnerabilities in AOLInstant Messenger

AOL Instant Messenger (AIM) is a popular messaging client for Windows, with over 64 million users according to 'http://www.aol.com/aim/home.html'. AIM ships by default with current versions of the Netscape Communicator web browser, as well as a standalone download.
There are several application weaknesses in the product that expose machines with AIM installed to be remotely taken over by external attackers. It is important to note that you do not need to be running AIM but merely have it installed to be vulnerable. We include URLs in our detailed description that enables you to check if you are vulnerable.
Scenarios such as receiving malicious HTML e-mail or visiting a malicious web site have been shown to enable the execution of arbitrary code on a vulnerable target machine.
This potentially places environments using the AOL Instant Messenger at grave risk. As these vulnerabilities are a result of client-initiated communications, most corporate firewall configurations do not guard these environments from attack.


Details
Vulnerable systems:
AOL Instant Messenger versions prior to 4.3.2229

AOL Instant Messenger, when installed, registers the URL protocol "aim:" as a hook into its executable. This allows users to publish their AOL screen name on a web page and be quickly and easily be added to a viewer's "Buddy List", engage in an AIM Chat, or otherwise access AIM functionality simply by clicking on a link.

In order to do this, each "aim://" URL is passed directly to the aim client, as if it was put on the command line. Hence, typing:

aim:goim?Screenname=bob&Message=hibob

In Internet Explorer will pop up an instant message box ready to send to Bob.

Unfortunately, the AOL client software has numerous vulnerabilities that allow a maliciously crafted URL to overflow internal buffers and obtain control of the program.

In addition, arbitrary "buddies" can be automatically added to an AIM user's buddy list by a malicious web page or html e-mail.

One of the buffer overflows is demonstrated by typing the following URL into your browser:

aim:goim?=<insert 300 string of AAAAA here>+restart

Another is demonstrated by typing:

aim:buddyicon?screenname=abob&groupname=asdf&Src=http://localhost/AAA...

Where there are greater than 3000 'A' characters.

Solutions:
If you are an AOL Instant Messenger user and are able to upgrade easily, install the latest version of AIM, 4.3.2229, and dated 12/6/200 available at:
http://www.aol.com/aim/home.html

If you are not an AIM user, uninstall AIM via the Add/Remove Programs control Panel.

If you are not able to upgrade or delete AIM you can follow these instructions for removing the vulnerable functionality of AIM (for versions prior to 4.3.2229) that allows it to be launched via a malicious URL.

It is important to note that the AOL Instant Messenger rewrites the registry settings when it is launched, thus undoing any protective patches. If you are on a system that can enforce access control on registry keys, such as Windows NT and Windows 2000, you may perform the following:

Set the following key values to be empty:
HKEY_CLASSES_ROOT\aim\shell\open\command
HKEY_CLASSES_ROOT\aimfile\shell\open\command
HKEY_CLASSES_ROOT\AIM.Protocol\CLSID
HKEY_CLASSES_ROOT\AIM.Protocol.1\CLSID

Then, change the security permissions to be READ-ONLY on the aforementioned keys.

This will not work on systems Windows 95/98/ME as there is no mechanism to apply permissions to registry keys.

Alternatively, you can delete the registry key at:
HKEY_CLASSES_ROOT\aim\shell\open\command

After each time you launch AIM. This is due to the fact that AIM rewrites the key each time it is launched. This will prevent AIM from being executed when a user clicks on an aim:// URL.

Ultimately, a vendor patch of this problem is required to continue with full product functionality. Should this not be possible in your particular environment there are other solutions that are available, per the information provided in this advisory. It is noted here that there is seldom a one-size-fits-all solution and the ultimate solution for your environment will be weighted in relationship to your business.

If your environment utilizes application proxies or other tools that can filter content before it reaches your systems, it should be possible to block AIM traffic at your filtering point. Filtering out "aim:" URLs would be effective here.

Should this vulnerability be viewed as potentially catastrophic to your environment, it may be necessary to either mandate discontinuing use of the product until it is repaired, or switch to alternative products.

Enhanced logging and or monitoring of client areas that are particularly vulnerable might be an effective benefit/risk trade off. This could allow early warning detection of compromised systems. Assuming that the benefit and functionality of using AIM is great enough, one might allow the potential compromise of a system in an environment provided that early detection is possible.

In some rare scenarios this might constitute an acceptable risk for the company or individual and be accepted as is. We strongly believe that the majority of the users are not in this situation but do acknowledge this potential.

This page created with Cool Page. Click to get your own FREE copy of Cool Page!