10 High
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.155 Low
EPSS
Percentile
95.9%
There is a remotely exploitable buffer overflow in AOL Instant Messenger (AIM). An exploit has been publicly released. AOL has implemented a server side fix that has largely eliminated the chances of widespread automated exploitation of the vulnerability, but targeted exploitation of specific clients may still be possible. Attackers that are able to exploit the vulnerability may be able to execute arbitrary code.
AOL Instant Messenger is a program for communicating with other users over the Internet. AIM is widely used (by over 100 million people). A buffer overflow exists in the AOL Instant Messaging Client for Windows. Information about the vulnerability and about AOL Instant Messenger in general is available from AOL Time Warner.
The problem occurs when parsing messages from another user inviting the victim to participate in a game. Specifically, the buffer overflow occurs while parsing of the Type, Length, Value (TLV) tuple with type 0x2711. Exploitation of the buffer overflow may allow a remote attacker to execute arbitrary code on the victim’s system.
The following versions are vulnerable:
* AIM for Windows, version 1.0 - 3.0.1415
* AIM for Windows, version 4.3.2229 and greater (4.8.2616 is the latest beta version)
The vulnerability is not present in:
* Non-windows versions of the client
* AIM client integrated into Netscape version 6
* Internal buddy list in the AOL client
Prior to the server side change, an attacker could remotely execute arbitrary code by sending malicious messages to the victim via the AIM messaging service. Attackers may still be able to compromise vulnerable versions of the client software in specific circumstances where the attacker has control of local DNS information, the ability to sniff your AIM session, or control of a proxy between the client and the AIM server.
Apply a Patch
Update to AIM version 4.8.2646, which contains the code patch to resolve this problem. Contact your vendor for additional information.
Block AIM Authentication at the Firewall
Blocking connections to login.oscar.aol.com on port 5190/tcp may prevent users on the local network from authenticating to the AIM server. This may be sufficient to prevent the vulnerability from being exploited.
Block Untrusted Messages
AIM permits the user to only accept messages from known peers. By enabling this feature, you may be able to prevent the vulnerability from being exploited. Note that you may still be vulnerable to attacks that originate from known peers if the vulnerability is exploited in a worm like fashion.
907819
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: January 02, 2002 Updated: January 03, 2002
Affected
America Online Security Advisory
Post date: January 3, 2002
Subject: Buffer Overflow Vulnerability in AOL Instant Messenger for Windows
Problem:
A potential vulnerability was found in AOL Instant Messenger (AIM) for Windows software which might have allowed the compromise of systems running certain versions of the AIM client. The exploit mechanism involves sending messages specifically designed to exercise a buffer overflow vulnerability in the AIM client, which results in a condition on the target system that could potentially allow an attacker to execute arbitrary code. The buffer overflow condition is only valid for message types which require traversal through the AOL server complex; peer to peer messaging functions are not vulnerable to this exploit.
Mitigation:
As of the morning of January 3, 2002, AOL has modified the AIM server side infrastructure to counter attacks of this type, protecting AIM users from this exploit. Additionally, the next release of the AIM client software will include changes which remove the buffer overflow condition.
AIM is not vulnerable to this buffer overflow condition through any peer-to-peer messages, therefore the server side mitigations protect all clients from this exploit.
Vulnerable Versions:
Please note, due to the server side modifications, AIM users are no longer vulnerable to this exploit, regardless of client software version.
AIM software containing the buffer overflow:
AIM for Windows, version 1.0 - 3.0.1415
AIM for Windows, version 4.3.2229 and greater (4.8.2616 is the latest beta version)
Unaffected software:
All AIM clients for non-Windows platforms would not have been affected. Additionally, the AIM client integrated with the Netscape 6 browser would not have been vulnerable. AOL members using the internal AOL Buddy List in the AOL client would not have been affected.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23907819 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
This vulnerability was discovered by Matt Conover ([email protected]).
This document was written by Cory F. Cohen.
CVE IDs: | CVE-2002-0005 |
---|---|
Severity Metric: | 19.94 Date Public: |