AOL default insecure permissions

aol-default-insecure-permissions (28445) The risk level is classified as MediumMedium Risk

Description:

AOL has default directory permissions that could allow a local attacker to execute arbitrary code. The "America Online 9.0" directory and all related directories are assigned the default access permissions of 'Full Control' in the 'Everyone' group. A local attacker could exploit this vulnerability to gain administrator access and view, add, delete, or change any file in the application or to upload and execute arbitrary code.

Platforms Affected:

  • AOL, AOL 9.0 SE 4184.2340

Remedy:

Upgrade to the latest, patched version of AOL Security Edition 9.0, available from the AOL Web site. See References.

Consequences:

Gain Privileges

References:

  • AOL Web site, AOL.com - Welcome to America Online at http://www.aol.com/.
  • BID-19583: AOL Security Edition Local Privilege Escalation Vulnerability
  • CVE-2006-0948: AOL 9.0 Security Edition revision 4184.2340, and probably other versions, uses insecure permissions (Everyone/Full Control) for the America Online 9.0 directory, which allows local users to gain privileges by replacing critical files.
  • OSVDB ID: 27995: AOL Directory Permission Weakness Local Privilege Escalation
  • SA18734: AOL Insecure Default Directory Permissions
  • SECTRACK ID: 1016717: AOL Client Insecure Default Permissions Lets Local Users Modify Files
  • VUPEN/ADV-2006-3317: AOL America Online 9.0 Insecure Directory Permissions and File Manipulation Vulnerability

Reported:

Aug 18, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page