Re: ICQ and MSIE allow execution of arbitrary code

From: Stan Bubrouski (stanat_private)
Date: Wed Jul 17 2002 - 07:39:48 PDT

Next message: Ron Ray: "Domain password logon authentication bug in Windows 2000 Advanced Server Domain Controller"

Previous message: Dale Clapperton (lists): "Norton AV 2002 rewriting SMTP, breaking TLS"
In reply to: Jelmer: "ICQ and MSIE allow execution of arbitrary code"
Next in thread: Jelmer: "Re: ICQ and MSIE allow execution of arbitrary code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jelmer wrote:

>>>Outline<<
>>>      
>>>

<SNIP>

>It does infact allow you to run code of your choosing on a victims machine
>by creating a specially crafted webpage and sound scheme file
>  
>

Your absolutely correct.  I can confirm this on:

ICQ: 2000b (The problem goes back 3 years!)
OS: Windows 2000 Professional SP2 (With all hotfixes and windows updates)
IE: 6.0.2600.0000 (again, with ALL latest fixes/patches and windows updates)

So what we have here is a rather serious flaw, which affects all 
versions of  ICQ from
at least version 2000b onward...and I am told (yeah I know, hearsay) 
this is working
on 2000a as well.  Jelmer's workaround of changing the SCM extension in 
folder
options does appear to do the job, although I recommend unmapping the 
extension
alltogether... or turning off scripting entirely as this is VERY easy to 
exploit and extremely
serious...

-Stan Bubrouski

>  
>
>>>Explaination and example<<
>>>      
>>>
>
>I have created an example exploit on
>
>http://www.xs4all.nl/~jkuperus/icq/icq.htm
>
>that starts a little flame program
>
>It works as followed
>
>the default action for icq soundscheme (scm) files is open it places the wav
>files included with the scm file in a known location on the hard disk.
>
>flame.scm wil be downloaded and installed in C:\Program
>Files\ICQ\Sounds\flame[1]
>the scm file i use creates a auth.wav file .
>
>In reality however this is not a wav file but a mht (mail archive file) with
>en embeded base64 encoded executable
>
>then i use one of the many available local code execution vulnerabilities
>found in internet explorer recently to execute the embedded binary with this
>url :
>
>mhtml:file:///C:/Program%20Files/ICQ/Sounds/flame/Auth.wav!file:///C:/fire.e
>xe
>
>I dont think its necisary to use one of ie's exploit as you can also call
>html files in the mht archive, But for some reason i wasn't able to get this
>to work right away.
>
>
>  
>
>>>Workaround  <<
>>>      
>>>
>
>For a short term solution
>
>open explorer (the file manager not the browser)
>go to the file types tab in  tools > folder options
>
>locate the scm extention and change the default behaviour to prompt before
>download
>
>In the long term icq will have to use something like random foldernames for
>soundschemes to prefent this from happening
>
>
>
>  
>

Next message: Ron Ray: "Domain password logon authentication bug in Windows 2000 Advanced Server Domain Controller"
Previous message: Dale Clapperton (lists): "Norton AV 2002 rewriting SMTP, breaking TLS"
In reply to: Jelmer: "ICQ and MSIE allow execution of arbitrary code"
Next in thread: Jelmer: "Re: ICQ and MSIE allow execution of arbitrary code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 18 2002 - 19:53:11 PDT