[NT] Multiple Vulnerabilities in Mirabilis ICQ Client

• Previous message: SecuriTeam: "[UNIX] ListProc Mailing List ULISTPROC_UMASK Overflow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 9 May 2003 10:11:21 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -

  Multiple Vulnerabilities in Mirabilis ICQ Client
------------------------------------------------------------------------

SUMMARY

Mirabilis ICQ client is a popular program that enables users to
communicate through instant messaging, chat, sending emails, SMS and
wireless-pager messages, as well as transferring files and URLs.

The ICQ client offers other client services, for more information about
ICQ see: <http://www.icq.com/products/whatisicq.html>
http://www.icq.com/products/whatisicq.html

Six security vulnerabilities were found that could lead to various forms
of exploitation ranging from denying users the ability to use ICQ services
to execution of arbitrary commands on vulnerable systems.

The following vulnerabilities were found:
POP3 Client Format String in UIDL Field:
ICQ provides an integrated POP3 client vulnerable to a format string
attack in the UIDL command server response string (the unique-id of a
message). This vulnerability can be successfully exploited by an attacker
able to impersonate the POP3 server.

"Subject" signed overflow in POP3 Client:
ICQ provides an integrated POP3 client vulnerable to a 16-bit sign
overflow in the "Subject" field of e-mail headers. An attacker may be able
to execute arbitrary commands by sending a malformed e-mail header to a
vulnerable client.

"Date" signed overflow in POP3 Client:
ICQ provides an integrated POP3 client vulnerable to a 16-bit sign
overflow in the "Date" field of e-mail headers. An attacker may be able to
execute arbitrary commands by sending a malformed e-mail header to a
vulnerable client.

ICQ Features on Demand spoofing attack:
ICQ provides a semi-automated functionality for upgrading client services
(i.e.: ICQ Phone, ICQ Web Search, etc) called "ICQ Features on Demand"
vulnerable to a spoofing attack due to hard-coded information and lack of
authentication signatures.

By taking advantage of this vulnerability, an attacker will be able to
install malicious software that could lead to execution of arbitrary
commands as well as other important security breaches.
 
Message advertisements denial of service attack:
ICQ displays advertisements inside a message window (called 'Message
Session') by using a proprietary HTML parsing/rendering library vulnerable
to malformed tags input.

By impersonating the static ADS server, an attacker may send malformed
HTML code to the ADS rendering window freezing the ICQ interface and using
100% CPU.

Input validation error in ICQ's GIF parsing/rendering library:
ICQ implements its own image parsing/rendering library (found in
'icqateimg32.dll') vulnerable to an input validation error, causing a
denial of service. The problem is triggered while parsing GIF89a headers.

DETAILS

Vulnerable systems:
 * Mirabilis ICQ Pro 2003a client

Vendor status:
CoreLabs sent notifications mails to the following addresses:
security@icq.com, secure@icq.com, webmaster@icq.com, support@icq.com,
several times during March and April (2003-03-11, 2003-03-24, 2003-04-11)
and never received an answer from Mirabilis.

POP3 Client Format String in UIDL Field
ICQ's integrated POP3 client is a COM object found inside POP3.dll. The
client is vulnerable to a format string attack in the UIDL command server
response string (the unique-id of a message):

"The unique-id of a message is an arbitrary server-determined string,
consisting of one to 70 characters in the range 0x21 to 0x7E, which
uniquely identifies a message within a maildrop and which persists across
sessions" as described in RFC 1939 (found in
<http://www.ietf.org/rfc/rfc1939.txt>
http://www.ietf.org/rfc/rfc1939.txt).

By the insertion of format strings as part of a UIDL response message, the
POP3 client can be forced to execute arbitrary commands.

"Subject" signed overflow in POP3 Client
ICQ's integrated POP3 client is a COM object found inside POP3.dll. The
client is vulnerable to a sign overflow attack in the "Subject" field of
e-mail headers.

The length of the "Subject" field is stored in a 16-bit (short) signed
integer, allowing an attacker to send a malicious e-mail along with a long
"Subject" field of around 33k octets overflowing the sign of the variable
and causing a negative value.

This attack results in the client throwing a self-unhandled exception,
crashing the client.

"Date" signed overflow in POP3 Client
ICQ's integrated POP3 client is a COM object found inside POP3.dll. The
client is vulnerable to a sign overflow attack in the "Date" field of
e-mail headers.

The length of the "Date" field is stored in a 16-bit (short) signed
integer, allowing an attacker to send a malicious e-mail along with a long
"Date" field of around 32k octets overflowing the sign of the variable and
causing a negative value.

This attack results in the client throwing a handled exception, instantly
closing the client.

ICQ Features on Demand spoofing attack
The URL from where the requested 'Features on Demand' are downloaded is
hard-coded inside a file called "Packages.ini" found inside the
subdirectory "\DataFiles" in ICQ's default installation path. The value
named "DataURL" which belongs to the section "[General]" holds a static
address from where the client will download user requested packages.

An attack is possible due to the lack of authentication methods applied to
new downloaded packages. An attacker will be able to impersonate the
'package repository service' by spoofing the hard-coded address, being
able to install malicious software that could lead to the execution of
arbitrary commands as well as other important security breaches.

Message advertisements denial of service attack
The URL from where the HTML ads are downloaded has the following format: "
<http://web.icq.com/client/ate/ad-handler/ad_468/0,,[RANDOM],00.htm>
http://web.icq.com/client/ate/ad-handler/ad_468/0,,[RANDOM],00.htm". Being
[RANDOM] a signed 16 bit random number. Note that the "," characters don't
get encoded in their respective US-ASCII escape encoding.

The HTTP request follows certain rules:
 - It is an HTTP/1.0 request
 - The request has a "Refer:" to itself
 - The "User-Agent:" is "Mozilla/4.08 [en] (WinNT; U; Nav)"
 - The "Accept:" header must be "*/*"

The HTML parsing/rendering library is vulnerable to erroneous attributes
specified in the <table> tag. By specifying a "width" attribute of value
"-1", the library will use 100% CPU, freezing the ICQ interface.

The attack is possible due to the lack of authentication methods applied
to requests. An attacker will be able to impersonate the "ADS server" by
spoofing the semi hard-coded address, being able to deny to users the
usage of ICQ services.

Input validation error in ICQ's GIF parsing/rendering library
While parsing GIF89a header files, ICQ's GIF parsing/rendering library
expects either an existing GCT (Global Color Table) or an LCT (Local Color
Table) after an "Image Descriptor". When none of these color tables exist,
the library will malfunction leading to a denial of service.

The GIF89a file format has a section called "Logical Screen Descriptor":
(from GIF89a specification, which can be found at
<ftp://ftp.ncsa.uiuc.edu/misc/file.formats/graphics.formats/gif89a.doc>
ftp://ftp.ncsa.uiuc.edu/misc/file.formats/graphics.formats/gif89a.doc)

      7 6 5 4 3 2 1 0 Field Name Type
     +---------------+
  0 | | Logical Screen Width Unsigned
     +- -+
  1 | |
     +---------------+
  2 | | Logical Screen Height Unsigned
     +- -+
  3 | |
     +---------------+
  4 | | | | | <Packed Fields> See below
     +---------------+
  5 | | Background Color Index Byte
     +---------------+
  6 | | Pixel Aspect Ratio Byte
     +---------------+

    <Packed Fields> = Global Color Table Flag 1 Bit
                                    Color Resolution 3
Bits
                                    Sort Flag
 1 Bit
                                    Size of Global Color Table 3 Bits

This section describes the screen size, the pixel aspect ratio, background
color index, etc, and a set of fields (<Packed Fields>) which has the
"Global Color Table Flag" bit indicating the presence of a Global Color
Table; if the flag is set, the Global Color Table will immediately follow
the "Logical Screen Descriptor", this flag also selects the interpretation
of the "Background Color Index"; if the flag is set, the value of the
"Background Color Index" field should be used as the table index of the
background color.

After the "Logical Screen Descriptor" or (if present) the "Global Color
Table", there is an "Image Descriptor" per image compressed inside the GIF
file with the following format:

      7 6 5 4 3 2 1 0 Field Name Type
     +---------------+
  0 | | Image Separator Byte
     +---------------+
  1 | | Image Left Position Unsigned
     +- -+
  2 | |
     +---------------+
  3 | | Image Top Position Unsigned
     +- -+
  4 | |
     +---------------+
  5 | | Image Width
Unsigned
     +- -+
  6 | |
     +---------------+
  7 | | Image Height
Unsigned
     +- -+
  8 | |
     +---------------+
  9 | | | | | | <Packed Fields> See below
     +---------------+

    <Packed Fields> = Local Color Table Flag 1 Bit
                                     Interlace Flag 1
Bit
                                     Sort Flag
1 Bit
                                     Reserved 2
Bits
                                     Size of Local Color Table 3 Bits
(From GIF89a specification)

The set of fields (<Packed Fields>) found in an "Image Descriptor" include
a "Local Color Table Flag" bit indicating the presence of a Local Color
Table; if the flag is set, the Local Color Table will immediately follow
the "Image Descriptor".

ADDITIONAL INFORMATION

The original advisory is available from:
 <http://www.coresecurity.com/common/showdoc.php?idx=315&idxseccion=10>
http://www.coresecurity.com/common/showdoc.php?idx=315&idxseccion=10

The information has been provided by <mailto:advisories@coresecurity.com>
CORE Security Technologies Advisories.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] ListProc Mailing List ULISTPROC_UMASK Overflow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]