w00w00 Critical AOL Messenger Exploit
Source: bugtraq/neohapsis
w00w00, one of the premiere security groups around, has a released a very critical exploit against AOL messenger for Windows. TPGN has archived the exploit here.
AOL Instant Messenger (AIM) has a major security vulnerability in the
latest stable (4.7.2480) and beta (4.8.2616) Windows versions. This
vulnerability will allow remote penetration of the victim's system
without any indication as to who performed the attack. There is no
opportunity to refuse the request. This does not affect the
non-Windows versions, because the non-Windows versions currently do
not yet support the feature that this vulnerability occurs in.
This particular vulnerability results from an overflow in the code
that parses a game request. The actual overflow appears to be in the
parsing of TLV type 0x2711. This may be more generic and exploitable
through other means, but AOL has not released enough information about
their protocol for us to be able to determine that. Robbie Saunder's
email yesterday should be enough of a hint which direction to look in.