Information Assurance

Information Assurance

Bugtraq Analysis

back to bugtraq analyses page

This is from the iDefense description:

"Remote exploitation of a path-traversal vulnerability in AOL's AIM and ICQ could allow a remote attacker to place arbitrary files on the victim's machine during a file transfer operation."

AIM clients prior to version 5.9 and ICQ client version 5.1 are vulnerable to this attack. These clients allow files to be transferred from one user to another. The sender specifies the name of the file as it appears in the file transfer request and the name of the file as it will be saved; these need not be the same. The recipient must specify the directory to save the file to. However, the clients do not properly validate the filename and directory traversal characters are not stripped from the filename, so a file with a specially encoded name may not be saved in the directory specified.

ICQ clients have been patched via an automatic update and the problem has been fixed in AIM 6.0. AOL has also protected users via "a fix applied to the AIM infrastructure". Exploitation of the vulnerability could also be avoided by paying attention to the file accepted for transfer, since recipients must approve the transfers, and existing files will not be overwritten without prompting.

I figured that "specially encoded name" meant including the path information in the file name using the hex values for the directory traversal characters so I created two text files, "test1.txt" and "%2e%2e%5ctest2.txt" (..\test2.txt). Then I found somebody with a vulnerable client and tried to send the files to him. I asked him to try to save the files in his "My Documents" folder. The first transfer worked but the second did not. He accepted it, but the transfer never actually started. So presumably, this is how the vulnerability could have been exploited, and AOL's fix works.