Buffer Overflow in ICQ OS tested on: Windows 2000 ICQ version: 99b 1.1.1.1 ICQ is a very popular chat client that is affected by a exploitable buffer overflow when it parses an URL sent by another user. What this means: * one, arbitary assembly code can be run on the remote machine. (Therefore, a shell could be spawned, a trojan executed, or perhaps easiest of all the hard drive could be wiped.) * two, this did not take very long to find, and generally, if there is not bounds checking in one place, then there is not going to be bounds checking in other places as well. While ICQ is not likely to be run on a "hub of commerce" server... it is run on millions of systems, and someone could use a script to spam these millions of systems with such an URL... from there a timed distributed network attack could be launched. (Timed because of the dynamic IP's). When sending a URL link through a message in ICQ, it is possible to overflow the buffer and control the instruction execution. http://www.yahoo.com/sites.asp?\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\!!!!P ! The exclamation marks are where EBP is overwritten. The four characters after that are where EIP is overwritten. This link puts a jump esp into the EIP, bringing the flow of execution back into the buffer to the place right at the end of the URL, after the last NOP's after the EIP. Tested on w2k final beta. So, basically, you just tack the exploit code onto the end of the URL above, and the machine will run it. It should be pretty easy to jump the stack as well. Some characters are not allowed, making this slightly more difficult. ",", opcode 2C is not allowed, "]"'s are not allowed, and opcode "01" is not allowed. Pretty much anything else is. Explicit example: You click on someone in your ICQ to send them a message, you cut and past the above code into the message. When they receive and click on the link to jump to the location the exploit code tacked onto the end would be executed. To tack the exploit assembly code on there, write it up, asssemble it... get the opcodes, then use something like UltraEdit32 to paste the binary characters onto the end of the URL. Such code may be pieced together from freeware assembly scripts and etc. Fix: Don't accept communication with people you don't know. Test your software yourself for bugs, especially under Windows where incidents are not likely to quickly end up in CERT or similiar places. Drew alternative email: osioniusx@XXXXmy-deja.com __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:27:52 PDT