Date: Sat, 10 Oct 1998 19:31:59 PDT
From: HIGH TIMES <hight1mez@HOTMAIL.COM>
To: BUGTRAQ@netspace.org

----------------------------------------------------------------------
The A-TEAM Presents...
Date: 10/10/98
Advisory#: 01
Author: JOHN BISSELL <hight1mez@hotmail.com>
----------------------------------------------------------------------

There is a big security problem in America OnLine 4.x which allows
anybody to remotely crash AOL 4.x software by sending Email which AOL
software does not know how to handle and thus causes an invalid page
fault in module AOLRICH.AOL!

The exploit in essence is too send a email message to a America OnLine
user with a [ background ] image that has a 255 character name. This
could be created in America OnLine's own Email message composer or
perhaps in a Email program that allows HTML formatting. There might be
potential for remote execution of unauthorized code.


America OnLine 4.x software does a good job by warning the user before
opening the Email message that the evil message sent contains a picture
that could cause trouble for the reader.

NOTE: I have notifyed AOL about this problem so they should address
this issue very soon. hopefully!

HI THERE ADAM NANCE!

EOF
----------------------------------------------------------------------



______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com