header-logo
Suggest Exploit
vendor:
AOL Instant Messenger
by:
SecurityFocus
7.5
CVSS
HIGH
Arbitrary File Execution
N/A
CWE
Product Name: AOL Instant Messenger
Affected Version From: N/A
Affected Version To: AOL Instant Messenger 4.8.2790
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Microsoft Windows
2002

AOL Instant Messenger Arbitrary File Execution Vulnerability

AOL Instant Messenger (AIM) is prone to an issue which may allow attackers to execute arbitrary files on the client system. It is possible to send a malicious link which references local files to a user of the client. When the link is visited, the referenced file on the client's local filesystem will be executed. To exploit this issue, the attacker must know the exact location of the file to be executed. Additionally, there can be no spaces in the path or filename. This limits exploitability, since files must be on the same partition and command line arguments cannot be supplied.

Mitigation:

Upgrade to AOL Instant Messenger 4.8.2790 or later.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/6027/info

AOL Instant Messenger (AIM) is prone to an issue which may allow attackers to execute arbitrary files on the client system. It is possible to send a malicious link which references local files to a user of the client. When the link is visited, the referenced file on the client's local filesystem will be executed.

To exploit this issue, the attacker must know the exact location of the file to be executed. Additionally, there can be no spaces in the path or filename. This limits exploitability, since files must be on the same partition and command line arguments cannot be supplied.

Versions other than AOL Instant Messenger 4.8.2790 do not seem to be affected by this vulnerability. The vulnerability was reported for Microsoft Windows versions of the client. 

<a href ="../../../../progra~1/trojan/trojan.exe">www.example.com</a>