security hole in ICQ-Webserver
From: Jan Vogelgesang (wj.Vogelgesangat_private)
Date: Mon Apr 05 1999 - 14:50:56 PDT
Next message: Greg Hodges: "Re: Xylan OmniSwitch "features""
Hi,
Some days ago i've read a message here in Bugtraq from Ronald A. Jarell about a vulnerability in the ICQ-Webserver . I tried to reproduce this vulnerability with my computer (win95) and find out the following:
-sending any non-http stuff or even a simple "get" (without any other characters however) crashes the ICQ-Client. This works with ICQ99a V2.13 Build 1700, but not with Build 1547.
Moreover, there is a much bigger hole in the ICQ-Webserver: If you have the webserver enabled, everyone can access your complete(!) harddisk with a simple webbrowser.
When your page is activated and you are online, each request to "http://members.icq.com/ ICQ-Number>" will be redirected to your computer. Thus, every visitor get to know your current ip.
Nevertheless, only the files in "/ICQ99/Hompage/<your ICQ-Number>/personal" should be accessible. But a visitor can "climb up" the directory tree with some dots, e.g. "http://>/...../a2.html" would present him the file "a2.html" in the "ICQ99" directory. With some more dots, he would come to the root-directory of your harddisk.
But there is one barrier: The ICQ-Webserver only delivers files with a ".html" extension. After some experiments I found a way to trick it out: I add ".html/" to the URL and the Webserver sends every file I request. For instance, "http://>/............./config.sys" won't work, but "http://>/.html/............./config.sys" would.
I have test this both with Build 1700 and with Build 1547.
In my opinion, this is a significant security problem, because password files or even the registry in the windows directory can be read.
I warned Mirabilis about it and hope they will informe the ICQ-community.
sorry for my poor english...
Jan Vogelgesang
This archive was generated by hypermail 2b30
: Fri Apr 13 2001 - 14:41:34 PDT