Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2002.002 -- ISS Security Alert AOL Instant Messenger Remote Buffer Overflow 3 January 2002 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: AOL Instant Messenger versions 4.3 through 4.7.2480 AOL Instant Messenger versions 4.8.2616 (beta) Vendor: AOL Operating System: Windows Impact: Execute Arbitrary Code/Commands Access Required: Remote - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Alert January 2, 2002 AOL Instant Messenger Remote Buffer Overflow Synopsis: Internet Security Systems (ISS) X-Force has learned of a remote buffer overflow vulnerability in the popular AOL Instant Messenger (AIM) software. An exploit for this vulnerability has been released publicly. This vulnerability may allow remote attackers to execute arbitrary commands on a victim’s system. The victim is unable to refuse the request or determine who initiated the attack. Affected Versions: AOL Instant Messenger versions 4.3 through 4.7.2480 for Windows AOL Instant Messenger version 4.8.2616 for Windows (beta) Note: AOL Instant Messenger versions prior to 4.3 have not been tested. Previous versions that contain the Games feature may also be vulnerable. Description: The AOL Instant Messenger program is used by over 100 million users to send messages, share and transfer files, talk over the Internet, check stock prices and headlines, and play games. A vulnerability exists in the code that processes game requests, which may allow attackers to execute arbitrary code on a remote AIM user’s system. The victim is not able to refuse the game request in order to block the exploit. This vulnerability is relatively easy to exploit, and the exploit can contain a large and complex payload. This is a serious vulnerability in a very widely used software product. If a worm like Code Red or Nimda were written to exploit this vulnerability, it would likely spread very rapidly, and could potentially damage both personal and business systems. Recommendations: ISS X-Force recommends that users upgrade to the latest version of AOL Instant Messenger as soon as a fix becomes available. Until a fixed version of AOL Instant Messenger is available, system administrators are encouraged to block "login.oscar.aol.com" and port 5190 at the firewall. This will prevent AIM users from logging in to the AIM service. ISS RealSecure intrusion detection customers may use the following connection event to detect access attempts by AOL Instant Messenger servers to AIM clients, including both normal connections and attempts to exploit this vulnerability. Follow the instructions below to apply the connection event to your policy. 1. Choose the policy that you want to use, and then click 'Customize'. 2. Select the 'Connection Events' tab. 3. In the right pane, click 'Add'. 4. Create a Connection Event. 5. Type in a name of the event, such as 'AIM_5190'. 6. In the 'Response' field for the event, select the responses you want to use. In the 'Protocol' field, select TCP. In the 'Src Port/Type' field, select the entry for AOL port 5190. Click 'OK'. 7. Save the changes, and then close the window. 8. Click 'Apply to Sensor' or 'Apply to Engine' depending on the version of RealSecure you are using. To reduce the risk from this vulnerability until a fixed version is available, AOL Instant Messenger users should block unknown users from contacting them using AIM. However, this will not provide complete protection, because users on your Buddy List can still contact you. If this vulnerability is built into a worm, this attack may come from users on your Buddy List without their knowledge. To block unknown users in AIM: 1. Go to My AIM -> Edit Options -> Edit Preferences. 2. In the left pane, select the Privacy category. 3. In the "Who can contact me" section, select "Allow only users on my Buddy List". Internet Scanner X-Press Update version 6.4 will be available for download at the following URL on January 3, 2002: http://www.iss.net/db_data/xpu/IS.php ISS X-Force will provide detection support for this vulnerability in an upcoming X-Press Updates for RealSecure Network Sensor. Detection support for this attack will also be added in a future update for BlackICE products. Additional Information: This vulnerability was discovered and released by w00w00. ______ About Internet Security Systems (ISS) Internet Security Systems is a leading global provider of security management solutions for the Internet, protecting digital assets and ensuring safe and uninterrupted e-business. With its industry-leading intrusion detection and vulnerability assessment, remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to more than 9,000 customers worldwide including 21 of the 25 largest U.S. commercial banks, the top 10 U.S. telecommunications companies, and all major branches of the U.S. Federal Government. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2001 Internet Security Systems, Inc. All rights reserved worldwide. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server. X-Force Vulnerability and Threat Database: http://www.iss.net/xforce Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. - -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBPDN9izRfJiV99eG9AQGKFwQAmc6GV3Nh20M9AOXvr8EfApV9YySTNlUl Glcq8/op/ZmY4ymqieHKR4SSNN0kK+0miYXGtpmViDQ/w0xbFOiaR9aHo16OaFpT WmsxwfHgSO60PVOfzg89snzrR9chb+HVbYQhLBSKkKPPCXRlUKkWzYdY6cvba4ZY QeYslPwYD9s= =7pFV - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBPDRHiyh9+71yA2DNAQELVAP+On9gUIopOpICYZBcdYywSwJ5QmXFdmsk SQLN6GpHUfhnw0aQ1gludjvn6/EWPwrAA3zBKLo76jQSfxg9jOBSlDI/3+upwUUw t//xDrf6maFxxxMIoJ784phEpkbUmujPVvYNzumsV4paxidK25Rv3fi8xl5Dsv7v FueBEodna3o= =gjho -----END PGP SIGNATURE-----