Modifed images can lead to JavaScript/VBScript execution in AIM

[Dont Know Guilt <dontknowguilt () HOTMAIL COM>]

Software Effected: AOL Instant Messenger

Versions Effected: 4.1 to current (including 4.4 alpha), older versions
probably effected

Details: AOL Instnat Messenger has the ability to embed images into an
instant message. The user sends the graphic to the person they wish to show,
and the graphic shows up on their screen. However, if the graphic is not a
valid image then an icon will be displayed showing the file type (i.e., if
you send an invalid jpeg image, then the icon will show ".JPG".

The bug occurs in the way that the images are handled by AIM when saving
chat conversations. The images are saved in a the following format:

<BINARY><STYLE><DATA ID="1" SIZE="66">Data that would be inside a
GIF</DATA></BINARY>

If you were to send an HTML file which included malicious
JavaScript/VBScript code with a image extension that started with
</DATA></STLE></BINARY>, then the code would be exectued if logs of the
conversation were saved and viewed with the default browser. One could also
embed a web bug, Java applet, etc. With versions of AIM previous to 4.4,
this may be a trick. In AIM 4.4, however, IM logs are saved by default to
C:\AimLogs\Username\IMLog.htm, and while AIM has a utility to view the logs,
it's not too outlandish to think that some might view the logs directly with
their browsers. Additionally, you can also take a legitimate image, and
append the HTML code to the end of the image, which achieves the same
results.

If there is any consolation, it is in the fact that Internet Explorer will
ask before letting the log do anything malicious, although if the user
chooses yes this first time, it's possible to disable the confirmation, as
well as manipulate the registry to allow access to any file to any AIM user.

Workaround: There are a few things that can be done, the first is just not
accept any image connections. Also, if you're going to view the logs, make
sure you have ActiveX disabled, and dont click Yes if it asks. Additionally,
if using AIM 4.4 or higher, always view the logs from the Log Manager. The
other item would be to save the logs as a text file, rather than html.

Vendor Status: AOL was notified on Thursday, January 18th, but I never
received any response.

Special Thanks to: Total Konfuzion, who helped me with working out the
details of the exploit. Without him, it probably wouldn't have been
possible. If you get a chance, you can also check out his site,
http://codemonkey.hldns.com.

Greetings to: AIM Computing Chat

Dont Know Guilt