Deleting the "HKEY_CLASSES_ROOT\aim" registry key is not a permanent mitigation but a per-session change that has to be implemented every time AOL Instant Messenger is instantiated. The reason for this is that if the HKCR\aim key is missing when AIM is launched AIM will simply recreate the key and thus the URL protocol. If you want to mitigate against any use of the AIM protocol the most viable approach is to implement a URL protocol handler to either filter or disregard the data. You can read more about asynchronous pluggable protocols in IE at http://msdn.microsoft.com/workshop/networking/pluggable/overview/overvie w.asp If you want to simply disregard any data sent to the aim: URL protocol you can implement the about: URL protocol handler which is located at HKEY_CLASSES_ROOT\PROTOCOLS\Handler\about\CLSID This REG_SZ value contains the data "{3050F406-98B5-11CF-BB82-00AA00BDCE0B}" which points at MSHTML.DLL and ensures that any data sent through the protocol will not be parsed by its intended application. AIM doesn't have a URL protocol handler of its own so you will have to create the keys yourself. This would be equivelant to the following .reg file: ======= neuteraimurl.reg ======= Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\PROTOCOLS\Handler\aim] "CLSID"="{3050F406-98B5-11CF-BB82-00AA00BDCE0B}" ======= neuteraimurl.reg ======= If you implement this registry change the aim URL protocol handler will be neutered. You can find a copy of this file at http://www.pivx.com/research/freefixes/neuteraimurl.reg Feel free to implement this registry fix as you see fit. There are a lot of potentially dangerous URL protocols on any Windows system (e.g., take a look at callto: or ldap:). You can locate all the URL protocols on your system by searching through your registry for a REG_SZ value called "URL Protocol" which is located under "HKCR\*\URL Protocol". As an example, you can neuther the Shell protocol in a similar manner. End-node security solutions can help mitigate the risk of URL protocols by filtering data and implementing the lacking input validation. Qwik-Fix Pro is currently having several fixes developed that protect against exploitation of not only the aim URL protocol but other potentially malicious URL protocols as well. You can download a copy of Qwik-Fix Pro at http://www.pivx.com/qwikfix/ Regards Thor Larholm Senior Security Researcher PivX Solutions 23 Corporate Plaza #280 Newport Beach, CA 92660 http://www.pivx.com thor@xxxxxxxx Stock symbol: (PIVX.OB) Phone: +1 (949) 231-8496 PGP: 0x4207AEE9 B5AB D1A4 D4FD 5731 89D6 20CD 5BDB 3D99 4207 AEE9 PivX defines a new genre in Desktop Security: Proactive Threat Mitigation. <http://www.pivx.com/qwikfix> -----Original Message----- From: homicidal@xxxxxxxxx [mailto:homicidal@xxxxxxxxx] Sent: Tuesday, August 10, 2004 1:12 PM To: bugtraq@xxxxxxxxxxxxxxxxx Subject: AOL Instant Messenger "Away" Message Buffer Overflow Vulnerability THIS WAS NOT DISCOVERED BY ME. Source: Secunia (http://secunia.com/advisories/12198/) Description: Ryan McGeehan has reported a vulnerability in AOL Instant Messenger (AIM), which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error within the handling of "Away" messages and can be exploited to cause a stack-based buffer overflow by supplying an overly long "Away" message (about 1024 bytes). A malicious website can exploit this via the "aim:" URI handler by passing an overly long argument to the "goaway?message" parameter. Successful exploitation allows execution of arbitrary code on a user's system when e.g. a malicious website is visited with certain browsers. The vulnerability has been confirmed in version 5.5.3595. Other versions may also be affected. NOTE: Various other issues were also reported, where a large amount of resources can be consumed on a user's system. Solution: The vendor has contacted Secunia and recommends that users install a beta version, which addresses the vulnerability, or remove support for the "aim:" URI handler by deleting the "HKEY_CLASSES_ROOT\aim" registry key. A new non-beta version is forthcoming. Provided and/or discovered by: The vulnerability was discovered independently by the following around the same time: 1) Ryan McGeehan and Kevin Benes, TheBillyGoatCurse.com. 2) Matt Murphy
