Date: Mon, 19 Apr 1999 22:00:00 -0500 From: Adam Brown To: BUGTRAQ@netspace.org Subject: AOL Instant Messenger URL Crash There is a bug in the newer versions of AOL's Instant Messenger that will cause the client to crash when exploited. All builds of version 2.0 that I've tested seem to be vulnerable, although I have not done extensive version testing. AOL was notified of this about two weeks ago. To exploit this bug, send a hyperlink in this format: aim:addbuddy?=screenname Have fun, SpunOne http://www.fazed.net http://www.webzone.net -------------------------------------------------------------------------- Date: Tue, 20 Apr 1999 16:24:02 -0400 From: Daniel Reed To: BUGTRAQ@netspace.org Subject: Re: AOL Instant Messenger URL Crash On Mon, 19 Apr 1999, Adam Brown wrote: ) There is a bug in the newer versions of AOL's Instant Messenger that will ) cause the client to crash when exploited. All builds of version 2.0 that ) I've tested seem to be vulnerable, although I have not done extensive ) version testing. AOL was notified of this about two weeks ago. To exploit ) this bug, send a hyperlink in this format: aim:addbuddy?=screenname I just sent what does this show up as? to an AOL AIM 2.0.996 user and once she *clicked* on it AIM crashed. I don't know if you meant to say that the user had to click on it for the client to crash, or if this is indeed different behaviour. I also just tried it with "screenname" replaced with first her screenname, and then with mine, again with no automatic reaction. (sent from linuxkitty, a naim-0.9.4-parse2 user, to , an AOL AIM 2.0.996 user) [15:59:43] linuxkitty: [LINK:href="aim:addbuddy?=screenname":what does this show up as]? [16:00:23] Friend has just logged off :( [16:03:09] Friend is now online =) [16:14:14] linuxkitty: [LINK:href="aim:addbuddy?=":miaow miaow] (don't click on that, I'm just testing something) [16:14:50] linuxkitty: [LINK:href="aim:addbuddy?=linuxkitty":anoth er test...] -- Daniel Reed Many a false step is made by standing still... -------------------------------------------------------------------------- Date: Tue, 20 Apr 1999 16:34:16 -0500 From: Adam Brown To: BUGTRAQ@netspace.org Subject: Re: AOL Instant Messenger URL Crash I'm sorry if I was unclear in my first post. The only way I've seen to exploit this is to send someone a hyperlink in the form of aim:addbuddy?=screenname and have them click on it. (replacing "screenname" with an actual screen name seems to give the same result) You can also set up a web page that will redirect your victim to a client crashing URL once they've caught on to your evil little scheme. :p I set up an example of this at http://www.fazed.net/poof for testing purposes, of course. Adam Brown SpunOne@IRC http://www.fazed.net http://www.webzone.net -------------------------------------------------------------------------- Date: Wed, 21 Apr 1999 14:30:40 -0400 From: Eric L. Howard To: BUGTRAQ@netspace.org Subject: Re: AOL Instant Messenger URL Crash I haven't been able to duplicate this on any 2.0.8* builds...I've tested about 15 different people and none in the 2.0.8* builds were affected. All others tested were in the 2.0.9* build and died immediately, some causing the user to have to reboot, all rendering AIM completly unable to be restarted for several minutes after the Dr. Watson cleared on NT. ~ELH~ -------------------------------------------------------------------------- Date: Wed, 21 Apr 1999 18:14:59 -0700 From: Adam Herscher To: BUGTRAQ@netspace.org Subject: Re: AOL Instant Messenger URL Crash The problem could not be duplicated on AIM 2.0.813 (Windows 98) running IE 5.0 - Is it possible that this is in part a problem with IE 4.0? Adam Herscher (ajh-) -------------------------------------------------------------------------- Date: Wed, 21 Apr 1999 18:07:12 -0700 From: Adam Herscher To: BUGTRAQ@netspace.org Subject: Re: AOL Instant Messenger URL Crash >I'm sorry if I was unclear in my first post. The only way I've seen to >exploit this is to send someone a hyperlink in the form of >aim:addbuddy?=screenname and have them click on it. (replacing "screenname" >with an actual screen name seems to give the same result) You can also set >up a web page that will redirect your victim to a client crashing URL once >they've caught on to your evil little scheme. :p I set up an example of >this at http://www.fazed.net/poof for testing purposes, of course. > >Adam Brown >SpunOne@IRC >http://www.fazed.net >http://www.webzone.net This doesn't seem to work on the Mac versions (tested 2.01.644) Adam Herscher (ajh-)