OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: AreS (aressecurity-downloads.com)
Date: Wed Aug 22 2001 - 17:14:10 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users

    Topic: ICQ Forced Auto-Add Users
    Announced: 2001-08-17
    Affects: ICQ 200x* up to 2001a Alpha

    DISCLAIMER:
    ***********
    THE ENTIRE ADVISORY HAS BEEN BASED UPON TRIAL AND ERROR RESULTS.
    THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS 100% CORRECT.
    THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT PRIOR NOTICE.

    I. Problem Description
    **********************
    ICQ is a popular and free chat program, with over 108,022,319 users all
    over the world. When ICQ is installed, it adds a Content-Type to
    Microsoft Internet Exploder, the "application/x-icq" type.
    When IE receives "Content-Type: application/x-icq" from a web server
    and following content:

    [ICQ User]
    UIN=<uin>
    Email=
    NickName=
    FirstName=
    LastName=

    *where <uin> is an ICQ UIN

    IE will automaticly download the content and make ICQ add the uin to
    it's contact list.

    II. Impact
    **********
    When a webmaster creates a page containing the exploit code, he will
    automaticly be added to the victims contact list.
    This bug can be exploited against almost any program which uses IE to
    display web content.

    III. Exploit
    *************
    It's easy to (ab)use the ICQ web server using search.dll, having it
    send the correct response, using following HTML code:

    <HTML>
    <META HTTP-EQUIV="REFRESH" CONTENT="0;URL=http://wwp.icq.com/scripts/search.dll?to=>">
    </HTML>

    The above HTML code will add <uin>* to the victims contact list.

    The bottom line is to get the victim to surf to the script on ICQ's
    website:     http://wwp.icq.com/scripts/search.dll?to=>*
    *Where <uin> is the attackers UIN.

    If the HTML code is in- or badly visible, download the text version at:
    http://t-Omicr0n.hexyn.be/Hexyn-sa-22.txt

    IV. Solution
    *************
    At this time, no patch from ICQ is available yet.
    Using Opera Internet Browser will fix the problem, other browsers are
    yet to be tested.

    V. Credits
    ***********
    Bug discovered by t-Omicr0n <tvb71hotmail.com>

    Greets to: f0bic, Incubus, R00T-dude, cicer0, vorlon, sentinel, oPr,
    Reggie, F_F, Shaolin_p, Segfau|t, NecrOmaN, Zym0t1c, l0r3, Preat0r,
    T0SH, zeroX, AreS, tips, Lacrima, GigaByte,...
    ...and everyone at #securaxirc.hexyn.be

    -- t-Omicr0n http://t-Omicr0n.hexyn.be