[NEWS] Forcing ICQ to Add Arbitrary Users to the Friends List
From: support@securiteam.comDate: 08/24/01
- Previous message: support@securiteam.com: "[NT] AVTronics InetServer DoS and Buffer Overflow Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [NEWS] Forcing ICQ to Add Arbitrary Users to the Friends List Message-Id: <20010824210428.13584138BF@mail.der-keiler.de> Date: Fri, 24 Aug 2001 23:04:28 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Forcing ICQ to Add Arbitrary Users to the Friends List
------------------------------------------------------------------------
SUMMARY
<http://www.icq.com> ICQ is the leading find-your-friends tool. A
security vulnerability in the product allows attackers to add users to a
target's friends list, without having permission from the client. After
the attacker has been added to the friends list, they can email or message
the user freely without it being "questioned".
DETAILS
When ICQ is installed, it adds a Content-Type to Microsoft Internet
Explorer - the "application/x-icq" type. When IE receives "Content-Type:
application/x-icq" from a web server and the following content:
[ICQ User]
UIN=<uin>
Email=
NickName=
FirstName=
LastName=
(where <uin> is an ICQ UIN)
IE will automatically download the file and cause ICQ to add the uin to
its contact list.
Exploit:
It's easy to cause the ICQ web server to send back the file format (as
mentioned above) to the target, by exploiting a problem in ICQ web
server's search.dll.
Issuing the following HTML code:
<HTML>
Will cause the ICQ server to return a response that will cause ICQ to
ADDITIONAL INFORMATION
The information has been provided by <mailto:ares@security-downloads.com>
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
====================
DISCLAIMER:
<META HTTP-EQUIV="REFRESH"
CONTENT="0;URL=http://wwp.icq.com/scripts/search.dll?to=
</HTML>
automatically add (without user intervention) a user to the friends list.
AreS.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
Relevant Pages
... Core Security Technologies - CoreLabs Advisory ... AOL ICQ Pro 2003b heap overflow vulnerability ... A vulnerability in AOL's ICQ Pro 2003b instant messenger client could ...
(Bugtraq)
... Core Security Technologies - CoreLabs Advisory ... AOL ICQ Pro 2003b heap overflow vulnerability ... A vulnerability in AOL's ICQ Pro 2003b instant messenger client could ...
(VulnWatch)
... Trent, Googled for AIM and ICQ. ... Security - both pc's have XP firewall enabled. ...
(microsoft.public.windowsxp.hardware)
... When it comes to using an SSL proxy for file sharing, ... security than a non-SSL proxy, ... The same of course would be true for using ICQ in the same scenario, ...
(comp.security.misc)
... I've used ICQ in years past but have no idea what's ... Is there personal web server software to quickly ...
(microsoft.public.windowsxp.general)
