RE: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users

From: Chris (wickedc@suscom-maine.net)
Date: Fri Aug 24 2001 - 21:13:19 PDT

Next message: Thomas C. Greene: "Hardware defences against SYN flooding"

Previous message: Immunix Security Team: "ImmunixOS 7.0 sendmail update"
In reply to: Richard M. Smith: "RE: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>I suspect this bug is also exploitable from HTML email by including the
>magic ICQ URL in an <IFRAME> tag embedded in the message.
>
>Richard

This could also be exploited through html using the refresh meta tag...
When viewing the originating email of this thread in the eudora 5.0 preview 
window, (while "Microsoft's viewer" [which is really just IE] was enabled 
in the options) the META tag was read and executed and the preview window 
was refreshed to show "[ICQ User] UIN= Email= NickName= FirstName= LastName="

I suspect this information was displayed rather then executed due to the 
fact that i don't have ICQ installed on this machine, and therefore no mime 
type exists for such content on this machine. I was unable to test this 
with ICQ installed since windows' and AOL's programming (mirabillis is 
owned by AOL, don't you know?) makes ICQ crash every time its started.

However, this shows that its possible for a refresh meta tag to effect a 
PREVIEW window and execute the add user content. Can We Say, "Email Tracking"?

This could be (scarily) used by spammers to track valid email addresses. 
With a simple program to interface with ICQ or an ICQ dummy client (that 
only listens for "User has added you" messages), the spammer would be able 
to verify the email address through the email address listed in the ICQ 
user's profile, the spammer now also has the user's ICQ number, giving them 
yet another medium to spam over.

Just more scary they're-all-out-to-get-you things to think about =)

- Chris


>-----Original Message-----
>From: AreS [mailto:ares@security-downloads.com]
>Sent: Wednesday, August 22, 2001 6:14 PM
>To: BUGTRAQat_private
>Subject: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users
>
>
>Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users
>
>Topic: ICQ Forced Auto-Add Users
>Announced: 2001-08-17
>Affects: ICQ 200x* up to 2001a Alpha
>
>DISCLAIMER:
>***********
>THE ENTIRE ADVISORY HAS BEEN  BASED  UPON   TRIAL  AND  ERROR  RESULTS.
>THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS  100%  CORRECT.
>THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT  PRIOR  NOTICE.
>
>I. Problem Description
>**********************
>ICQ is a popular and free chat program, with over 108,022,319 users all
>over the world.  When ICQ is  installed,  it  adds  a  Content-Type  to
>Microsoft Internet Exploder, the "application/x-icq" type. When IE
>receives  "Content-Type: application/x-icq" from  a web  server and
>following content:

Next message: Thomas C. Greene: "Hardware defences against SYN flooding"
Previous message: Immunix Security Team: "ImmunixOS 7.0 sendmail update"
In reply to: Richard M. Smith: "RE: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Aug 25 2001 - 01:14:57 PDT