[VulnWatch] CORE-2006-0322: Multiple vulnerabilities in ICQ Toolbar 1.3 for Internet Explorer

From: CORE Security Technologies Advisories (advisories@private)
Date: Thu Sep 07 2006 - 13:03:21 PDT


         Core Security Technologies - CoreLabs Advisory
              http://www.coresecurity.com/corelabs/


   Multiple vulnerabilities in ICQ Toolbar 1.3 for Internet Explorer


Date Published: 2006-09-07

Last Update: 2006-09-06

Advisory ID: CORE-2006-0322

Bugtraq ID: None currently assigned

CVE Name: None currently assigned

Title: Multiples vulnerabilities in ICQ Toolbar 1.3 for Internet Explorer

Class: Access Validation Error/Design Error, Input validation error

Remotely Exploitable: Yes

Locally Exploitable: Yes

Advisory URL:
http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=1510

*Vendors contacted:*

America Online Inc.
 . 2006-07-27: Initial notification sent to vendor, advisory release
   date set for Aug. 14th.
 . 2006-07-27: Vendor response acknowledging notification.
 . 2006-08-11: Request for an update sent to vendor asking for an
   estimated date for fix availability.
 . 2006-08-14: Request for an update sent to vendor asking for an
   estimated date for fix availability, advisory release date now set for
   Aug. 22nd.
 . 2006-08-15: Vendor response received. Still determining when a fix
   will be available. A new update from the vendor forthcoming before
   Aug. 22nd.
 . 2006-08-16: Vendor email received requesting further technical details
   or proof-of-concept code.
 . 2006-08-17: Core response vendor: proof-of-concept for the ICQ client
   bug can not be made available as standalone program without incurring
   in a substantial development effort.
 . 2006-08-21: Vendor email describing coordination issues with ICQ
   development team. No fix schedule provided
 . 2006-08-21: In liue of proof-of-concept, Core provides succinct
   technical explanation of the problem in the ICQ 2003b client.
 . 2006-08-29: Updated advisory sent to vendor requesting comments and
   fix availability information. Advisory release date now set for
   Aug. 31st.
 . 2006-08-30: Vendor response received stating that 30 days is
   insufficient to fix bugs and reiterating the previously noted
   coordination and communications problems with engineering team at
   remote facilities. No tentative fix schedule made available, earliest
   date for an official vendor statement about fixes is Sept. 1st
 . 2006-08-30: Core response to vendor, publication of advisories will be
   delayed until Sept. 6th in order to receive offical statement from
   vendor. Baring a precise schedule that demonstrates an imminent
   release of fixes the publication date is final.
 . 2006-08-30: Vendor provides an official statement.
 . 2006-09-07: Advisory published.

Release Mode: USER RELEASE


*Vulnerability Description:*

 Security problems found in the ICQ Toolbar v1.3 may allow attackers to
 control and change configuration settings and to inject scripting code
 in RSS feed contents and execute it in the contetxt of the feed
 interface (IE's Local Zone)

 ICQ Toolbar 1.3 for Internet Explorer is a Browser Helper Object that
 provides several features including: search, pop-up blocker, ICQmail
 notifier, RSS feeds and others. The ICQ toolbar, is one of the various
 products offered by ICQ and it is available for download at
 http://download.icq.com/download/toolbar/

 A problem was found in the way the ICQ Toolbar implements its web
 configuration interface that lets attackers controlling a malicious
 website change the ICQ toolbar's configuration settings without users of
 the ICQ toolbar for Internet Explorer noticing that an attack is taking
 place.

 Additionally, Cross Site Scripting vulnerabilities in the RSS Feeds
 interface could allow malicious RSS feeds to execute scripting code in
 the context of the Feeds interface, and allow attackers to access (and,
 in specific cases, change) configuration settings.


*Vulnerable Packages:*

 The following AOL/ICQ software products are affected by these issues:

 Remote configuration vulnerability
 - ICQ Toolbar 1.3 for Internet Explorer

 Malicious RSS feed vulnerability
 - ICQ Toolbar 1.3 for Internet Explorer

 The ICQ Toolbar for Windows 98/ME was not included in our tests.
 Nevertheless, it is likely to be vulnerable.


*Non-vulnerable Packages:*

 - ICQ Search Plugin for Mozilla / Firefox.


*Solution/Vendor Information:*

 Statement provided by AOL Product Vulnerabilities team:
 "AOL has recently been made aware of two vulnerabilities in the various
 versions of the ICQ Toolbar.  Successful exploitation of the first
 vulnerability may allow an attacker to alter non-critical configuration
 information for the Toolbar by tricking a user into visiting a malicious
 website.  The second vulnerability affects versions of the ICQ Toolbar
 that have RSS feed capability.  An attacker may be able to trick a user
 into loading a malicious RSS feed that contains malicious cross-site
 scripting code.

 Solutions / Workarounds:

 Remote configuration vulnerability
 - Users should carefully inspect the source of any web-based
 configuration files they use to configure their ICQ Toolbar.

 Malicious RSS feed vulnerability
 - Users are recommended to use the ICQ Toolbar 1.2 which is packaged
 with ICQ 5.1;  ICQ Toolbar 1.2 does not have RSS feed capability."


*Credits:*

 Luciana Tabo, Lucas Lavarello, Sebastian Cufre, Ezequiel Gutesman and
 Javier Garcia Di Palma from Core Security Technologies discovered and
 tested these vulnerabilities during Core Security’s Bugweek 2006.


*Technical Description - Exploit/Concept Code:*

[Web configuration Interface]

 The ICQ Toolbar provides a web-based configuration interface that is
 implemented through a plain simple HTML page. Whenever a user clicks on
 “Toolbar Options,” Internet Explorer is directed to a local webpage
 called “options2.html” that resides in the directory where the toolbar
 was installed.

 Most Internet Explorer toolbars in use are now providing web-based
 configuration interfaces that either take you to an online website or,
 as in this case, to a local page. In all of these cases, basic security
 mechanisms must be implemented to prevent attackers from crafting
 malicious web pages that could either change or read toolbar
 configuration settings.

 As mentioned before, the ICQ toolbar configuration web page provides a
 list of standard checklist controls that either enable or disable
 certain toolbar features when checked/unchecked by the user. Whenever
 one of these checklist controls is clicked, the toolbar internally
 handles the onClick event and carries out any corresponding actions.

 The first issue derives from the fact that the ICQ Toolbar isn't
 validating either the location or the originating source from where the
 configuration web page is loaded. Therefore, the toolbar can either be
 configured from the local system (as expected) or from anywhere in the
 online world.
 This enables anyone to simply copy the contents of the locally stored
 “options2.html” file and place it as an html file hosted in any website,
 such as the attacker’s favorite .com domain.

 Secondly, the way in which each checkbox control is associated to a
 configuration setting is by simply matching the ID attribute of each
 HTML checkbox tag to a list of expected configuration IDs. This enables
 an attacker to change the external representation of a checkbox control
 in order to disguise an attack. As far as the ID attribute matches a
 corresponding configuration setting, the attacker can present to the
 user any HTML for rendering and presentation in the browser. By
 combining both problems, an attacker can easily read and change ICQ
 toolbar configuration settings.

 For example, here is what the checkbox for enabling automatic ICQ
 Toolbar updates looks like in the ‘official’ configuration interface
 (options2.html):

 <input type="checkbox" id="UpdateAutomatically"><font face="Tahoma"
 size="2">Update ICQ Toolbar automatically</font>

 The following checkbox will also work the same way:

 <input type="checkbox" id="UpdateAutomatically"><font face="Tahoma"
 size="2">I’m 21 years old or older.</font>

 In such a scenario, a commonly seen disclaimer page with a checkbox is
 used to disguise an attack that changes toolbar settings.

 Although we tried to automate the "clicking" process in order to skip
 the need of having the victim click on the checkbox control, the toolbar
 seems to actually require the user to generate the Click event.


[Cross Site Scripting vulnerabilities in the RSS Feed module]

 Cross Site Scripting vulnerabilities were found in the RSS Feed module
 provided by the ICQ Toolbar for Internet Explorer. The issues emerge at
 the time of displaying items from an RSS feed and could provide
 attackers with a way to access or change configuration settings.

 Specifically, we found the title and description fields of the item
 element included in a standard RSS feed XML document to be ‘vulnerable’
 to Cross Site Scripting vulnerabilities. The issue resides in the fact
 that the application is appending the contents of both fields directly
 in HTML output without first performing any sanitation or encoding on
 them. This would allow an attacker with control on the contents of these
 fields to insert Javascript code that will then be executed in the
 user's browser. We haven’t tested all possible RSS tags and therefore
 believe more tags may carry the same problem.

 A sample XML document describing a malicious RSS feed would look like
 this:

<?xml version="1.0" encoding="iso-8859-1" ?>
<rss version="2.0">
    <channel>
        <title>Sample evil feed</title>
        <link>http://evilfeed>
        <description>This is a sample evil RSS feed!</description>
        <language>en-us</language>
    <item>
        <title>Stealing your RSS feeds!</title>
        <link>http://localhost>

	<description>&lt;img src="javascript:var url=parent.left.external.GetDataFile();var%20a=parent.left.load_xml(url);var
b=parent.left.parse_tree_data(a, 0, url,'');alert(b)"&gt;</description>

        <pubDate>2006-07-20</pubDate>
    </item>
    </channel>
</rss>

 The document above will show a MessageBox with the contents of the
 toolbar’s data file where the RSS feeds configuration are stored.
 An attacker could also:
 - Steal the contents of the RSS feeds configuration file.
 - Call toolbar methods from the “external” object (RefreshRSS, OpenFeed,
 MarkAsRead, OpenRSSDialog, CloseRSSFrame, SetRSSNotificationFlag,
 OpenRSSNewDialog...)
 - Control the contents of the HTML document that is displayed to the
 client in order to trick the victim into several "classic" phishing
 attack scenarios.
 - etc.


*Workaround:*

 Either remove or disable the toolbar in Internet Explorer. Note that
 hiding the toolbar through View->Toolbars and unchecking the ICQ toolbar
 option DOES NOT disable the toolbar; it just hides it.

 The toolbar can easily be removed through the 'Add or Remove Programs'
 snap-in provided by Windows's Control Panel or disabled by renaming the
 'toolbaru.dll' from the toolbar's installation directory.


*About CoreLabs*

 CoreLabs, the research center of Core Security Technologies, is charged
 with anticipating the future needs and requirements for information
 security technologies.

 We conduct our research in several important areas of computer security
 including system vulnerabilities, cyber attack planning and simulation,
 source code auditing, and cryptography. Our results include problem
 formalization, identification of vulnerabilities, novel solutions and
 prototypes for new technologies.

 CoreLabs regularly publishes security advisories, technical papers,
 project information and shared software tools for public use at:
 http://www.coresecurity.com/corelabs/


*About Core Security Technologies*

 Core Security Technologies develops strategic solutions that help
 security-conscious organizations worldwide. The company’s flagship
 product, CORE IMPACT, is the first automated penetration testing product
 for assessing specific information security threats to an organization.

 Penetration testing evaluates overall network security and identifies
 what resources are exposed. It enables organizations to determine if
 current security investments are detecting and preventing attacks. Core
 augments its leading technology solution with world-class security
 consulting services, including penetration testing, software security
 auditing and related training.

 Based in Boston, MA. and Buenos Aires, Argentina, Core Security
 Technologies can be reached at 617-399-6980 or on the Web at
 http://www.coresecurity.com.


*DISCLAIMER:*

 The contents of this advisory are copyright (c) 2006 CORE Security
 Technologies and (c) 2006 CoreLabs, and may be distributed freely
 provided that no fee is charged for this distribution and proper credit
 is given.

$Id: ICQToolbar-advisory.txt,v 1.11 2006/09/07 19:56:16 carlos Exp $



This archive was generated by hypermail 2.1.3 : Thu Sep 07 2006 - 17:02:08 PDT