-----BEGIN PGP SIGNED MESSAGE-----
Core Security Technologies =E2=80=93 CoreLabs Advisory
AOL=E2=80=99s Instant Messaging software
vulnerabilities in AOL's Instant Messaging software
Advisory ID: CORE-2007-0817
Date published: 2009-09-25
Date of last update: 2007-09-25
Vendors contacted: AOL LLC.
Release mode: Forced Release
Class: Design Error
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 25659
CVE Name: CVE-2007-4901
AOL Instant Messenger ("AIM", http://www.aim.com) is an instant messaging
application that allows its users to communicate in real time via text,
voice, and video over the Internet. It is maintained by AOL LLC. AIM Pro
is AOL's business-oriented version of AIM targeted for professional use
with an emphasis on "business-grade" security and integration with email
client and other productivity applications
(http://aimpro.premiumservices.aol.com/) AIM Lite, as defined in its
website (http://x.aim.com/laim/), is a reference application used to test
new technology also developed by AOL and available for the public in the
form of a "light IM client".
A vulnerability was discovered in these three popular versions of AOL
Instant Messaging software, AIM 6.1 (and 6.2 beta), AIM Pro and AIM Lite,
which expose workstations running the IM clients and their users to
several immediate high-risk attack vectors. To support rendering of HTML
content, the vulnerable IM clients use an embedded Internet Explorer
server control. Unfortunately they do not properly sanitize the
potentially malicious input content to be rendered and, as a result, an
attacker might provide malicious HTML content as part of an IM message to
directly exploit Internet Explorer bugs or to target IE=E2=80=9Fs security
In particular this attack vector exposes workstations to:
- - Direct remote execution of arbitrary commands without user interaction.
- - Direct exploitation of IE bugs without user interaction. For example,
exploitation bugs that normally require the user to click on a URL
provided by the attacker can be exploited directly using this attack
- - Direct injection of scripting code in Internet Explorer. For example,
- - Remote instantiation of Active X controls in the corresponding security
- - Cross-site request forgery and token/cookie manipulation using embedded
AIM 6.1 (220.127.116.11)
AIM 6.2 (18.104.22.168)
AIM 6.5 (22.214.171.124) - http://beta.aol.com/projects.php?project=aim6
AIM Express - http://www.aim.com/aimexpress.adp
Classic AIM 5.9 - http://www.aim.com/get_aim/win/other_win.adp
*Vendor Information, Solutions and Workarounds*
AOL LLC Vendor Statement;
AOL has become aware of security vulnerabilities in several AIM instant
messaging clients. Successful exploitation of these vulnerabilities could
allow an attacker to execute arbitrary commands on a user's workstation.
AOL has deployed host side filtering on the AIM servers to block this
potentially malicious content from being sent to AIM clients.
Affected Products and Applications
* AIM 6.1
* AIM 6.2
* AIM Pro
* AIM Lite
1. Users of AIM can upgrade to the latest version of the AIM beta client
AOL would like to thank Core Security Technologies for responsibly
reporting this issue to AOL and for working with AOL on testing and
mitigating these issues.
*Other workarounds (un-official)*
Workaround #1: Users running AIM on Microsoft Windows XP SP2 or Windows
Server 2003 SP1 may implement Microsoft's "Internet Explorer Local Machine
Zone Lockdown" recommendations to mitigate risk. This will not fix the
reported bugs but will reduce the risk of exploitation significantly.
To enable Local Machine Zone Lockdown for your AIM client, go to the
following registry key:
Add a REG_DWORD value to this key named as the AIM client application (for
example, aim.exe) and set it to 1. Any other setting for this value will
disable Local Machine Zone Lockdown for the application.
For further details about how to configure this feature read Microsoft=E2=80=9Fs
Internet Explorer Local Machine Zone Lockdown recommendation at:
This vulnerability was discovered by Lucas Lavarello from the CORE
Security Consulting Services (CORE SCS) team.
*Technical Description / Proof of Concept Code*
The standard protocol that AIM clients use to communicate is called OSCAR
(Open System for CommunicAtion in Realtime), which is a closed protocol
also used by AOL's secondary Instant Messaging client, ICQ (I Seek You).
On top of the OSCAR protocol, AIM clients have implemented support for
enhanced message types that use features provided by the HTML (Hyper Text
Markup Language) in order to, for example, provide AIM users with the
possibility of exchanging text messages with specific font formats or
colors. AIM 6.1, AIM 6.2 (beta), AIM Pro and AIM Lite have embedded an
Internet Explorer server control in the message display window in order to
facilitate the parsing and displaying of HTML controls. It is a common
practice for Windows applications to reuse Microsoft Internet Explorer=E2=80=9Fs
HTML parsing objects included in the mshtml.dll library instead of using a
homebrew HTML parser. Several programming frameworks, including MFC
(Microsoft Foundation Classes), provide practical ways of embedding such
controls through classes like CHtmlEditView or CHtmlEditDoc.
Some of the advantages of using MSHTML are that it provides a particular,
feature-rich and somewhat complete support for DHTML and also that it is
easier to host Microsoft ActiveX Controls. However, in the context of this
advisory, such advantages may end up becoming security problems due to
design flaws and implementation bugs.
There are two particular characteristics in the implementation of the
described functionality that turn AIM=E2=80=9Fs highly flexible message-content
features into high-risk attack vectors for its users.
First, the vulnerable IM clients do most of the sanitizing/filtering and
encoding of HTML content on outbound messages, thus a malicious attacker
with the ability to bypass outbound HTML filtering can send any type of
HTML content to other IM clients.
A handful of publicly available and well-known IM clients permit to send
un-sanitized data to any other client that supports the same
communications protocol including the vulnerable AIM 6.1, AIM 6.2, AIM Pro
and AIM Lite clients.
Second, although there are some defensive mechanisms implemented in the
vulnerable clients these are insufficient to properly handle messages with
potentially malicious content. Input validation of inbound messages
appears to be taking place but can be easily circumvented by an attacker.
As a result, the entire attack surface of MSHTML is exposed to remote IM
peers. By having a way of sending data straight to the MSHTML library,
attackers could abuse such high-risk attack vector to:
- - Execute arbitrary shell commands in the victim=E2=80=9Fs workstation.
- - Direct the embedded IE to perform arbitrary HTTP requests (CSRF)
- - Include HTML controls (links, images, forms=E2=80=A6) in IM text messages in
order to trick users into revealing sensitive information or performing
harmful actions against their accounts/workstation/etc.
- - Instantiate ActiveX controls, which attackers could use to target
vulnerabilities in the ActiveX objects themselves or use their
functionality to, for example, read arbitrary files from the victim's
file system or even execute arbitrary shell commands in the victim's
- - Directly attack vulnerable versions of Internet Explorer in user
workstations. This is a typical client-side attack scenario and could
lead to the remote execution of arbitrary code in the victim's
workstation. In this scenario "one-click" IE bugs (exploitation requires
user assistance) become "zero-click" bugs (exploitation does not require
AOL's "Classic AIM 5.9" is an official alternative client for nostalgic
users and is not vulnerable due to the fact that instead of using MSHTML
to render HTML it appears to include limited rendering functionality
either provided by a third party library or homebrew code. Although there
is no guarantee that its implementation lacks vulnerabilities, in our
tests it did prevent the attack vectors described in this advisory. So
is the case for AOL=E2=80=9Fs AOL 126.96.36.199 which although it is embedding an
Internet Explorer server control in the message window, could not be
exploited during our tests.
AOL's online AIM Express web client which is written in ASP.NET and also
appears to be taking the necessary defensive measures required to prevent
any of these problems from taking place.
*Proof of concept snippets*
The following examples provide code snippets that should serve as
proof-of-concept code to demonstrate some of the problems that arise from
the issue reported. The snippets have been arranged according to their
risk level, in increasing order (lower risk first), with the
intention of making this process more self-explanatory. In order for these
snippets to work, they must be sent within the contents of a standard
instant message, but using a client that will not encode message contents
*Using HTML controls in order to trick victims into revealing sensitive
information or do harmful actions against their accounts/workstations or
to force outbound HTTP requests (CSRF).*
The following proof-of-concept code was successfully tested on AIM Pro.
Other vulnerable clients need some tweaking in order to get it to work.
The code uses