Tested on IE 4.0 (4.72.3110.4) ICQ 2001b #3659 And it did crash my ICQ But after it I installed the "icq web front Add-on" it didn't crashed my icq anymore, but just opened the webfront part... N|ghtHawk -----Oorspronkelijk bericht----- Van: silentsupporterat_private <silentsupporterat_private> Aan: bugtraqat_private <bugtraqat_private> Datum: dinsdag 16 april 2002 0:05 Onderwerp: Possible vulnerabilities of ICQ files opened in IE or OE Hello everybody, Sorry for my lingo, but I had to learn it in a huge pain. However, if you don't like or cannot understand it, try to learn polish instead [gotcha =o)] Maybe it's an old topic, but maybe not. While playing with ICQ i have found that the program registers for its own use files with .uin extension. Of course it's not a big deal, but what's really interesting, is about to be described in a moment. .uin files may be opened from any homepage and Internet Explorer does not ask for confirmation while opening them. After I had found it out, the next idea was to: -check other file extensions in Registry that are registered by ICQ -test if the browser opens them in the same way as above ICQ registers the following extensions in Registry - .pnq - ICQ Plugin - .scm - ICQ Sound Scheme - .uin - ICQ User - .hpf - ICQ Home Page Factory What I did was very trivial. I created some test files and then I clicked them one by one in Windows Explorer. The prize was waiting with a .hpf extension. A simple file with few lines of text inside, when clicked, it killed my ICQ at once. So, the next step was to check if it works from the Internet. It did, aussi. I am too busy at the moment to play with a debugger and look further for real exploits, but i bet it is possible to find some, because according to the way it worked while i've been testing, ICQ does not check the content of the files before usage. I bet that some vulnerable code should be really easy to create. Conclusion: The first impression is that it may be used to kill ICQ only, but i bet that running specific code would be possible too. If you remember that it may be opened through Internet Explorer without notice, a lot of possible scenarios come to mind at once - does attachement for OE sound familiar =o)? It works. Worms may use it easily. To test what was described above: - run ICQ - go to my home page and open this link http://sztolnia.pl/hack/icqkiller/icqkiller.hpf it contains only few lines of text Tested on IE 6.0 ICQ 2002a #3722 Off-topic: As this is my first post to bugtraq i want to introduce myself in just a second. My name is Adam Blaszczyk, I am the author of two books about computer viruses and malware published in 1998 and 2001 and around 20 articles about security and malware, published in leading computer magazines in Poland. I love my wife Ka Kee and i wait impatiently till she come to me from Hong Kong in June, 2002. I mention here cuz ... I miss her like hell, hope you don't mind guys =o) Adam Blaszczyk silentsupporter_poczta_onet_pl
This archive was generated by hypermail 2b30 : Tue Apr 16 2002 - 22:57:33 PDT