AUSCERT External Security Bulletin Redistribution

                    ESB-2002.002 -- ISS Security Alert
               AOL Instant Messenger Remote Buffer Overflow
                              3 January 2002


        AusCERT Security Bulletin Summary

Product:                AOL Instant Messenger versions 4.3 through 4.7.2480
                        AOL Instant Messenger versions 4.8.2616 (beta)
Vendor:                 AOL
Operating System:       Windows
Impact:                 Execute Arbitrary Code/Commands
Access Required:        Remote

- --------------------------BEGIN INCLUDED TEXT--------------------


Internet Security Systems Security Alert
January 2, 2002

AOL Instant Messenger Remote Buffer Overflow


Internet Security Systems (ISS) X-Force has learned of a remote buffer
overflow vulnerability in the popular AOL Instant Messenger (AIM)
software. An exploit for this vulnerability has been released publicly.
This vulnerability may allow remote attackers to execute arbitrary
commands on a victim’s system. The victim is unable to refuse the
request or determine who initiated the attack.

Affected Versions:

AOL Instant Messenger versions 4.3 through 4.7.2480 for Windows
AOL Instant Messenger version 4.8.2616 for Windows (beta)

Note: AOL Instant Messenger versions prior to 4.3 have not been tested.
Previous versions that contain the Games feature may also be vulnerable.


The AOL Instant Messenger program is used by over 100 million users to
send messages, share and transfer files, talk over the Internet, check
stock prices and headlines, and play games.

A vulnerability exists in the code that processes game requests, which
may allow attackers to execute arbitrary code on a remote AIM user’s
system. The victim is not able to refuse the game request in order to
block the exploit. This vulnerability is relatively easy to exploit, and
the exploit can contain a large and complex payload.

This is a serious vulnerability in a very widely used software product.
If a worm like Code Red or Nimda were written to exploit this
vulnerability, it would likely spread very rapidly, and could
potentially damage both personal and business systems.


ISS X-Force recommends that users upgrade to the latest version of AOL
Instant Messenger as soon as a fix becomes available.

Until a fixed version of AOL Instant Messenger is available, system
administrators are encouraged to block "login.oscar.aol.com" and port
5190 at the firewall. This will prevent AIM users from logging in to the
AIM service.

ISS RealSecure intrusion detection customers may use the following
connection event to detect access attempts by AOL Instant Messenger
servers to AIM clients, including both normal connections and attempts
to exploit this vulnerability. Follow the instructions below to apply
the connection event to your policy.

1. Choose the policy that you want to use, and then click 'Customize'.
2. Select the 'Connection Events' tab.
3. In the right pane, click 'Add'.
4. Create a Connection Event.
5. Type in a name of the event, such as 'AIM_5190'.
6. In the 'Response' field for the event, select the responses you want
   to use.
   In the 'Protocol' field, select TCP.
   In the 'Src Port/Type' field, select the entry for AOL port 5190.
   Click 'OK'.
7. Save the changes, and then close the window.
8. Click 'Apply to Sensor' or 'Apply to Engine' depending on the version
   of RealSecure you are using.

To reduce the risk from this vulnerability until a fixed version is
available, AOL Instant Messenger users should block unknown users from
contacting them using AIM. However, this will not provide complete
protection, because users on your Buddy List can still contact you. If
this vulnerability is built into a worm, this attack may come from users
on your Buddy List without their knowledge.

To block unknown users in AIM:
1. Go to My AIM -> Edit Options -> Edit Preferences.
2. In the left pane, select the Privacy category.
3. In the "Who can contact me" section, select "Allow only users on my
   Buddy List".

Internet Scanner X-Press Update version 6.4 will be available for
download at the following URL on January 3, 2002:

ISS X-Force will provide detection support for this vulnerability in an
upcoming X-Press Updates for RealSecure Network Sensor. Detection
support for this attack will also be added in a future update for
BlackICE products.

Additional Information:

This vulnerability was discovered and released by w00w00.


About Internet Security Systems (ISS)
Internet Security Systems is a leading global provider of security
management solutions for the Internet, protecting digital assets and
ensuring safe and uninterrupted e-business. With its industry-leading
intrusion detection and vulnerability assessment, remote managed
security services, and strategic consulting and education offerings, ISS
is a trusted security provider to more than 9,000 customers worldwide
including 21 of the 25 largest U.S. commercial banks, the top 10 U.S.
telecommunications companies, and all major branches of the U.S. Federal
Government. Founded in 1994, ISS is headquartered in Atlanta, GA, with
additional offices throughout North America and international operations
in Asia, Australia, Europe, Latin America and the Middle East. For more
information, visit the Internet Security Systems web site at www.iss.net
or call 888-901-7477.

Copyright (c) 2001 Internet Security Systems, Inc. All rights reserved

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part
of this Alert in any other medium excluding electronic medium, please
e-mail xforce@iss.net for permission.


The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of or
in connection with the use or spread of this information. Any use of
this information is at the user's own risk.

X-Force PGP Key available at: http://xforce.iss.net/sensitive.php
as well as on MIT's PGP key server and PGP.com's key server.

X-Force Vulnerability and Threat Database: http://www.iss.net/xforce

Please send suggestions, updates, and comments to:
X-Force xforce@iss.net of Internet Security Systems, Inc.

Version: 2.6.3a
Charset: noconv


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key