On Wed, 22 Aug 2001 19:23:28 -0300 (SPO) , AreS <ares@security-downloads.com> (AreS) wrote: >IE will automaticly download the content and make ICQ add the uin to >it's contact list. > >II. Impact >********** >When a webmaster creates a page containing the exploit code, he will >automaticly be added to the victims contact list. >This bug can be exploited against almost any program which uses IE to >display web content. I believe the impact can be more serious than that. Using Javascript, one can easily add hundreds of random users, Then the victim will have a lot of trouble to know who was added and who was alredy on his contact list, as they'll be mixed. Privacy-wise, that's an easy way for a site to know who the remote user is, because of the message "you were added". The webmaster would have, in most cases, the complete name and e-mail of the person who accessed the site, even if the user is behind a proxy or firewall. > >III. Exploit >************* >It's easy to (ab)use the ICQ web server using search.dll, having it >send the correct response, using following HTML code: > ><HTML> ><META HTTP-EQUIV="REFRESH" CONTENT="0;URL=http://wwp.icq.com/scripts/search.dll?to=>"> ></HTML> It works on any page, not only ICQ's. As a proof-of-concept, using 1 line of perl, I setup this http://www.molina.com.br/icq.html >IV. Solution >************* >At this time, no patch from ICQ is available yet. And probably won't be. I believe they'll consider this more like a feature than a bug. Otherwise they wouldn't have implemented this. The problem is that they didn't realized someone could add hundreds of UIN's on other's lists. This is can be serious. One workaround is through the registry. Just replace My Computer\HKEY_CLASSES_ROOT\icquser\shell\open\command for whatever you want. If you leave it blank, you'll receive a warning, and will know someone tried to exploit it. Using a custom program, you can log the UIN. As far as I tested, it didn't break any ICQ functionality, but I cannot garantee. []'s Gustavo Molina Network Administrator - Sao Paulo - Brazil
This archive was generated by hypermail 2b30 : Fri Aug 24 2001 - 07:44:08 PDT