AIM:RegisterUser Buffer Overflow Vulnerability Gumby.net
POST YOUR VERISON THAT WORK"D, TEST 5.9-6.5 www.aim.com
This educational article is based on my own observations, if you know some of it is incorrect please
instant message me about it.
This vulnerability, but if you have clicked it, you may not know how to undo
the changes it makes. Read on to learn more about it.
###########################################################################
What it does:
It will either crash AIM once, or it will crash AIM and will continue to crash AIM everytime you attempt
to open it. This depends if you are logged in when you click the link. If you are logged in, it will crash
every time.
###########################################################################
How its done:
By clicking a link (aim:registeruser) containing at least 71 characters that aren't removed from screen names
on the sign on screen. Mostly any character you can not easily access from the keyboard will work
Will Work: • ç £
Will Not Work: A 9 ^
There are also other ways to cause the overflow, like using some combinations of regular characters and the
characters that are removed, but using 71 to 99 of the "abnormal" characters will work fine. (if the screen
name field is larger than 99 characters AIM will not crash.)
Example: aim:registeruser?screenname=¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾&password=password&signonnow=true
###########################################################################
Other Effects of The Crash:
When AIM reads the command, it will add the following registry keys:
HKEY_CURRENT_USER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Login\Screen Name
(String)
The following may or may not be added depending on the contents of Screen Name:
HKEY_CURRENT_USER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\[Screen Name From Command]
(String)
HKEY_CURRENT_USER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\[Screen Name From Command]
(Subkey of Users)
It will also make the following folders, but this all depends on the contents of the invalid screen name:
C:\Documents and Settings\[User]\Application Data\Aim\[Random Folder Name]\[Screen Name From Command]\
###########################################################################
How To Fix This:
If you AIM gets a buffer overflow everytime you open it, the problem is the invalid screen name is set to show up
on the sign on screen as AIM loads.
To fix this, open regedit. (Start > Run > type in "regedit")
In regedit, navigate to
HKEY_CURRENT_USER
Software
America Online
AOL Instant Messenger (TM)
CurrentVersion
Login
And you will see the string Screen Name (ab icon and type REG_SZ on the right). Right click on it and modify it to blank or "asdf" or
something that will not harm AIM. You can also just delete it.
Open AIM, and it should work fine again.
If you are a neat freak, you can seek out the folders and registry keys that are added and delete them also.
-Gumby.net
POST YOUR VERISON THAT WORK"D, TEST 5.9-6.5 www.aim.com
This educational article is based on my own observations, if you know some of it is incorrect please
instant message me about it.
This vulnerability, but if you have clicked it, you may not know how to undo
the changes it makes. Read on to learn more about it.
###########################################################################
What it does:
It will either crash AIM once, or it will crash AIM and will continue to crash AIM everytime you attempt
to open it. This depends if you are logged in when you click the link. If you are logged in, it will crash
every time.
###########################################################################
How its done:
By clicking a link (aim:registeruser) containing at least 71 characters that aren't removed from screen names
on the sign on screen. Mostly any character you can not easily access from the keyboard will work
Will Work: • ç £
Will Not Work: A 9 ^
There are also other ways to cause the overflow, like using some combinations of regular characters and the
characters that are removed, but using 71 to 99 of the "abnormal" characters will work fine. (if the screen
name field is larger than 99 characters AIM will not crash.)
Example: aim:registeruser?screenname=¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾¾&password=password&signonnow=true
###########################################################################
Other Effects of The Crash:
When AIM reads the command, it will add the following registry keys:
HKEY_CURRENT_USER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Login\Screen Name
(String)
The following may or may not be added depending on the contents of Screen Name:
HKEY_CURRENT_USER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\[Screen Name From Command]
(String)
HKEY_CURRENT_USER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\[Screen Name From Command]
(Subkey of Users)
It will also make the following folders, but this all depends on the contents of the invalid screen name:
C:\Documents and Settings\[User]\Application Data\Aim\[Random Folder Name]\[Screen Name From Command]\
###########################################################################
How To Fix This:
If you AIM gets a buffer overflow everytime you open it, the problem is the invalid screen name is set to show up
on the sign on screen as AIM loads.
To fix this, open regedit. (Start > Run > type in "regedit")
In regedit, navigate to
HKEY_CURRENT_USER
Software
America Online
AOL Instant Messenger (TM)
CurrentVersion
Login
And you will see the string Screen Name (ab icon and type REG_SZ on the right). Right click on it and modify it to blank or "asdf" or
something that will not harm AIM. You can also just delete it.
Open AIM, and it should work fine again.
If you are a neat freak, you can seek out the folders and registry keys that are added and delete them also.
-Gumby.net