Re: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users

From: Gustavo Molina (gustavobtat_private)
Date: Fri Aug 24 2001 - 06:36:20 PDT

Next message: Valentin Butanescu: "Starfish Truesync Desktop + REX 5000 Pro multiple vulnerabilities"

Previous message: Cisco Systems Product Security Incident Response Team: "Cisco Security Advisory: CBOS Web-based Configuration Utility Vulnerability"
In reply to: AreS: "Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users"
Next in thread: Richard M. Smith: "RE: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 22 Aug 2001 19:23:28 -0300 (SPO) , AreS <ares@security-downloads.com>
(AreS) wrote:

>IE will automaticly download the content and make ICQ add  the  uin  to
>it's contact list.
>
>II. Impact
>**********
>When a webmaster creates a page containing the  exploit  code,  he will
>automaticly be added to the victims contact list.
>This bug can be exploited against almost any program which uses IE to
>display web content.

I believe the impact can be more serious than that. Using Javascript, one can
easily add hundreds of random users, Then the victim will have a lot of trouble
to know who was added and who was alredy on his contact list, as they'll be
mixed.

Privacy-wise, that's an easy way for a site to know who the remote user is,
because of the message "you were added". The webmaster would have, in most
cases, the complete name and e-mail of the person who accessed the site, even if
the user is behind a proxy or firewall.

>
>III. Exploit
>*************
>It's easy to (ab)use the ICQ web server  using  search.dll,  having  it
>send the correct response, using following HTML code:
>
><HTML>
><META HTTP-EQUIV="REFRESH" CONTENT="0;URL=http://wwp.icq.com/scripts/search.dll?to=>">
></HTML>

It works on any page, not only ICQ's. As a proof-of-concept, using 1 line of
perl, I setup this http://www.molina.com.br/icq.html 

>IV. Solution
>*************
>At this time, no patch from ICQ is available yet.

And probably won't be. I believe they'll consider this more like a feature than
a bug. Otherwise they wouldn't have implemented this. The problem is that they
didn't realized someone could add hundreds of UIN's on other's lists. This is
can be serious.

One workaround is through the registry.

Just replace 
My Computer\HKEY_CLASSES_ROOT\icquser\shell\open\command
for whatever you want. If you leave it blank, you'll receive a warning, and will
know someone tried to exploit it. Using a custom program, you can log the UIN.

As far as I tested, it didn't break any ICQ functionality, but I cannot
garantee.

[]'s
Gustavo Molina
Network Administrator - Sao Paulo - Brazil

Next message: Valentin Butanescu: "Starfish Truesync Desktop + REX 5000 Pro multiple vulnerabilities"
Previous message: Cisco Systems Product Security Incident Response Team: "Cisco Security Advisory: CBOS Web-based Configuration Utility Vulnerability"
In reply to: AreS: "Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users"
Next in thread: Richard M. Smith: "RE: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 24 2001 - 07:44:08 PDT