BugTraq
AOL Instant Messenger Version 5.9.3861 Local Buffer Overrun Vulnerability Feb 03 2006 02:28AM
shell dotshell net (2 replies)
Re: AOL Instant Messenger Version 5.9.3861 Local Buffer Overrun Vulnerability Feb 04 2006 06:10PM
Stan Bubrouski (stan bubrouski gmail com)
On the other hand I can't seem to reproduce the below-mentioned bug
either on win2k up2date with AIM 5.9.3861.

-sb

On 3 Feb 2006 02:28:56 -0000, shell (at) dotshell (dot) net [email concealed] <shell (at) dotshell (dot) net [email concealed]> wrote:
> As I submitted to full disclosure:
>
> "I have discovered that there is a buffer overrun vulnerability in AOL's Instant Messenger program. I have only tested this on version 5.9.3861. The problem causes a minimum of a program crash. I am not sure as to the posibility of shellcode execution.
>
> The vulnerability can be exploited by supplying an overly large username from which to obtain "buddy info."
>
> If you are unsure as to what I am talking about, I can post a screenshot."
>
> Well, I made a Macromedia Captivate-made video of it. http://www.dotshell.net/aim.swf. What I am thinking is that a program can be written to write an overlong string and shellcode to the address effected and execute the same operation to leverage the problem.
>

[ reply ]
Re: AOL Instant Messenger Version 5.9.3861 Local Buffer Overrun Vulnerability Feb 03 2006 09:42PM
Stan Bubrouski (stan bubrouski gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus