====================================================================== 

                     Secunia Research 08/12/2006                      

- AOL CDDBControl ActiveX Control "SetClientInfo()" Buffer Overflow -

====================================================================== 
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
Vendor Statement.....................................................8
References...........................................................9
About Secunia.......................................................10
Verification........................................................11

====================================================================== 
1) Affected Software 

- America Online 7.0 revision 4114.563
- AOL 8.0 revision 4129.230
- AOL 9.0 Security Edition revision 4156.910

NOTE: Other versions may also be affected.

====================================================================== 
2) Severity 

Rating: Highly critical
Impact: System compromise
Where:  Remote

====================================================================== 
3) Vendor's Description of Software 

Product Link:
http://downloads.channel.aol.com/windowsproducts 

====================================================================== 
4) Description of Vulnerability

Secunia Research has discovered a vulnerability in AOL, which can be
exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error in the
"CDDBControlAOL.CDDBAOLControl" ActiveX control (cddbcontrol.dll) when
processing "ClientId" arguments passed to the "SetClientInfo()"
method. This can be exploited to cause a stack-based buffer overflow
by passing an overly long string (more than 256 bytes).

Successful exploitation allows execution of arbitrary code when a user
visits a malicious website with Internet Explorer. In order to exploit
the vulnerability, a certain registry value has to be set to "1111".
This is not set by default, but can be set up automatically by first
instantiating the bundled CerberusCDPlayer ActiveX control.

====================================================================== 
5) Solution 

Updates are automatically available for AOL 9.x users when logging
into the AOL service.

====================================================================== 
6) Time Table 

23/11/2006 - Vendor notified.
24/11/2006 - Provided additional information to the vendor.
24/11/2006 - Vendor response.
08/12/2006 - Public disclosure.

====================================================================== 
7) Credits 

Discovered by Carsten Eiram, Secunia Research.

====================================================================== 
8) Vendor Statement

Overview

AOL has recently been made aware of a security vulnerability present
in the AOL CDDB ActiveX control.  Successful exploitation of the
vulnerability may allow an attacker to execute arbitrary code on a
vulnerable system.


Affected Products and Applications

All AOL software versions are affected by this issue.


Solutions

1.  Users of AOL 9.0 or AOL 9.0 Security Edition are recommended to
log in to the AOL service and a fix will be seamlessly applied to
their system.

2.  Users using versions of AOL that are older than 9.0 are strongly
recommended to upgrade to the latest version of AOL 9.0 Security
Edition.


Acknowledgements

AOL would like to thank Secunia for their efforts in identifying and
responsibly reporting this issue.

====================================================================== 
9) References

The Common Vulnerabilities and Exposures (CVE) project has not
currently assigned a CVE identifier for the security issue.

====================================================================== 
10) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://corporate.secunia.com/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private 
individuals, who are interested in or concerned about IT-security.

http://secunia.com/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the 
security and reliability of software in general:

http://corporate.secunia.com/secunia_research/33/

Secunia regularly hires new skilled team members. Check the URL below to
see currently vacant positions:

http://secunia.com/secunia_vacancies/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/ 

====================================================================== 
11) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2006-69/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================