AOL Instant Messenger BuddyIcon Buffer Overflow Vulnerability

Bugtraq ID:	2122
Class:	Boundary Condition Error
CVE:
Remote:	Unknown
Local:	Unknown
Published:	Dec 12 2000 12:00AM
Updated:	Dec 12 2000 12:00AM
Credit:	Discovered and posted in a security advisory by @stake Inc <www.atstake.com> on Dec 12, 2000.
Vulnerable:	AOL Instant Messenger 4.2.1193 - Microsoft Windows 2000 Professional - Microsoft Windows 95 - Microsoft Windows 98 - Microsoft Windows NT 4.0 AOL Instant Messenger 4.1.2010 - Microsoft Windows 2000 Professional - Microsoft Windows 95 - Microsoft Windows 98 - Microsoft Windows NT 4.0 AOL Instant Messenger 4.0 - Apple Mac OS 9 9.0 - Microsoft Windows 95 - Microsoft Windows 98 - Microsoft Windows CE 3.0 - Microsoft Windows NT 4.0
Not Vulnerable:	AOL Instant Messenger 4.3.2229 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 95 - Microsoft Windows 98 - Microsoft Windows CE 3.0 - Microsoft Windows CE 2.0 - Microsoft Windows NT 4.0 SP6a - Microsoft Windows NT 4.0 SP6 - Microsoft Windows NT 4.0 SP5 - Microsoft Windows NT 4.0 SP4 - Microsoft Windows NT 4.0 SP3 - Microsoft Windows NT 4.0 SP2 - Microsoft Windows NT 4.0 SP1 - Microsoft Windows NT 4.0

AOL Instant Messenger BuddyIcon Buffer Overflow Vulnerability

The following exploit is provided by @stake <www.atstake.com>:

aim:buddyicon?screenname=abob&groupname=asdf&Src=http://localhost/AAA...

AOL Instant Messenger BuddyIcon Buffer Overflow Vulnerability

Solution:
This vulnerability has been addressed in AOL Instant Messenger 4.3.2229: Users are advised to upgrade to the newest version.

http://www.aol.com/aim/download.html

AOL Instant Messenger BuddyIcon Buffer Overflow Vulnerability

References:

• AOL Instant Messenger Home Page (AOL)
  
• Multiple Vulnerabilities in AOL Instant Messenger (@stake)