QuoteAs I submitted to full disclosure:
"I have discovered that there is a buffer overrun vulnerability in AOL's Instant Messenger program. I have only tested this on version 5.9.3861. The problem causes a minimum of a program crash. I am not sure as to the posibility of shellcode execution.
The vulnerability can be exploited by supplying an overly large username from which to obtain "buddy info."
If you are unsure as to what I am talking about, I can post a screenshot."
Well, I made a Macromedia Captivate-made video of it. http://www.dotshell.net/aim.swf. What I am thinking is that a program can be
I found that hilarious.
I don't know why it's in media center... but will it work that that aim command thingy, if there is one to get profile.
No there isn't... so kinda useless ;P ?
Uhh.... so?
Hah, people actually use buddy lookup?
Quote from: Ergot on February 03, 2006, 07:01:30 PM
I don't know why it's in media center... but will it work that that aim command thingy, if there is one to get profile.
No there isn't... so kinda useless ;P ?
I was..
"high! +1"
someone wanna move this to general security info, which i missed terribly?
This is a retarded reason to say AIM sucks. Who is going to sit there and type fake screennames of that length into a buddy lookup anyway? Theres no way to remotely expoit this. Garbage. :)
Quote from: Krazed on February 04, 2006, 10:28:42 AM
This is a retarded reason to say AIM sucks. Who is going to sit there and type fake screennames of that length into a buddy lookup anyway? Theres no way to remotely expoit this. Garbage. :)
It could be a real screen name, too. It just has to break AIM. :P! I feel like trying it.
Quote from: deadly7 on February 04, 2006, 03:26:21 PM
Quote from: Krazed on February 04, 2006, 10:28:42 AM
This is a retarded reason to say AIM sucks. Who is going to sit there and type fake screennames of that length into a buddy lookup anyway? Theres no way to remotely expoit this. Garbage. :)
It could be a real screen name, too. It just has to break AIM. :P! I feel like trying it.
No it couldn't, they are limited to 16 characters. There is no way to remotely exploit this, I'm not even sure how one could execute code unless they were sitting there. If you have local access, what's the point?
Oh yea aim really sucks because of this..or use a different client yea.
Like stated there is no way to exploit this and until one is found this wont be anything other than a bug in code
you know, those things every program have
Quote from: Quik on February 04, 2006, 04:22:10 PM
Quote from: deadly7 on February 04, 2006, 03:26:21 PM
Quote from: Krazed on February 04, 2006, 10:28:42 AM
This is a retarded reason to say AIM sucks. Who is going to sit there and type fake screennames of that length into a buddy lookup anyway? Theres no way to remotely expoit this. Garbage. :)
It could be a real screen name, too. It just has to break AIM. :P! I feel like trying it.
No it couldn't, they are limited to 16 characters. There is no way to remotely exploit this, I'm not even sure how one could execute code unless they were sitting there. If you have local access, what's the point?
I've had screen names longer than 16 characters before -- they must've imposed the limit within the last 4 years.
There is no screennames past 16 chars. End of discussion. This "exploit" is garbage. :)