Bugtraq mailing list archives
Modifed images can lead to JavaScript/VBScript execution in AIM
From: Dont Know Guilt <dontknowguilt () HOTMAIL COM>
Date: Wed, 24 Jan 2001 10:49:54 -0600
Software Effected: AOL Instant Messenger Versions Effected: 4.1 to current (including 4.4 alpha), older versions probably effected Details: AOL Instnat Messenger has the ability to embed images into an instant message. The user sends the graphic to the person they wish to show, and the graphic shows up on their screen. However, if the graphic is not a valid image then an icon will be displayed showing the file type (i.e., if you send an invalid jpeg image, then the icon will show ".JPG". The bug occurs in the way that the images are handled by AIM when saving chat conversations. The images are saved in a the following format: <BINARY><STYLE><DATA ID="1" SIZE="66">Data that would be inside a GIF</DATA></BINARY> If you were to send an HTML file which included malicious JavaScript/VBScript code with a image extension that started with </DATA></STLE></BINARY>, then the code would be exectued if logs of the conversation were saved and viewed with the default browser. One could also embed a web bug, Java applet, etc. With versions of AIM previous to 4.4, this may be a trick. In AIM 4.4, however, IM logs are saved by default to C:\AimLogs\Username\IMLog.htm, and while AIM has a utility to view the logs, it's not too outlandish to think that some might view the logs directly with their browsers. Additionally, you can also take a legitimate image, and append the HTML code to the end of the image, which achieves the same results. If there is any consolation, it is in the fact that Internet Explorer will ask before letting the log do anything malicious, although if the user chooses yes this first time, it's possible to disable the confirmation, as well as manipulate the registry to allow access to any file to any AIM user. Workaround: There are a few things that can be done, the first is just not accept any image connections. Also, if you're going to view the logs, make sure you have ActiveX disabled, and dont click Yes if it asks. Additionally, if using AIM 4.4 or higher, always view the logs from the Log Manager. The other item would be to save the logs as a text file, rather than html. Vendor Status: AOL was notified on Thursday, January 18th, but I never received any response. Special Thanks to: Total Konfuzion, who helped me with working out the details of the exploit. Without him, it probably wouldn't have been possible. If you get a chance, you can also check out his site, http://codemonkey.hldns.com. Greetings to: AIM Computing Chat Dont Know Guilt
Current thread:
- Modifed images can lead to JavaScript/VBScript execution in AIM Dont Know Guilt (Jan 25)