The previously reported AOL Instant Messenger heap overflow is restricted to
the "goim" handler. The unchecked escaping is performed on the "screenname"
query string parameter. The vulnerability is exploited when the user clicks
"Get Info" to request information on the buddy.
AIM dies with an access violation when trying to execute 0x656C6261. As
there is nothing stored there, AIM faults and dies:
EAX = 000000A0 EBX = 00000000 ECX = 00000003 EDX = 00A00000 ESI = 00C90A00
EDI = 010B3E90
EIP = 656C6261 ESP = 0063F42C EBP = 6C696176 EFL = 00010206 CS = 017F DS =
0187 ES = 0187
SS = 0187 FS = 2FAF GS = 0000 OV=0 UP=0 EI=1 PL=0 ZR=0 AC=0 PE=1 CY=0
ST0 = +0.00000000000000000e+0000 ST1 = +0.00000000000000000e+0000
ST2 = +0.00000000000000000e+0000 ST3 = +0.00000000000000000e+0000
ST4 = +0.00000000000000000e+0000 ST5 = +1.95075000000000000e+0005
ST6 = +4.30449203000000000e+0008 ST7 = +1.00000000000000000e+0000 CTRL =
027F STAT = 4020
TAGS = FFFF EIP = 70CC8ECD CS = 017F DS = 0187 EDO = 70CC8E48
This vulnerability is really not a serious one, given the high level of user
interaction required for successful exploitation. I tried to "spray" data
on the heap to overwrite other structures, but this proved useless.
"The reason the mainstream is thought
of as a stream is because it is
so shallow."
- Author Unknown
