Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users
From: AreS (ares@security-downloads.com)Date: 08/23/01
- Previous message: Darren Moffat: "Re: Adobe Acrobat creates world writable ~/AdobeFnt.lst files"
- Next in thread: Gustavo Molina: "Re: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users"
- Reply: Gustavo Molina: "Re: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users"
- Reply: Richard M. Smith: "RE: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 23 Aug 2001 00:14:10 +0200 From: AreS <ares@security-downloads.com> Message-ID: <17917533745.20010823001410@security-downloads.com> To: BUGTRAQ@SECURITYFOCUS.COM Subject: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users
Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users
Topic: ICQ Forced Auto-Add Users
Announced: 2001-08-17
Affects: ICQ 200x* up to 2001a Alpha
DISCLAIMER:
***********
THE ENTIRE ADVISORY HAS BEEN BASED UPON TRIAL AND ERROR RESULTS.
THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS 100% CORRECT.
THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT PRIOR NOTICE.
I. Problem Description
**********************
ICQ is a popular and free chat program, with over 108,022,319 users all
over the world. When ICQ is installed, it adds a Content-Type to
Microsoft Internet Exploder, the "application/x-icq" type.
When IE receives "Content-Type: application/x-icq" from a web server
and following content:
[ICQ User]
UIN=<uin>
Email=
NickName=
FirstName=
LastName=
*where <uin> is an ICQ UIN
IE will automaticly download the content and make ICQ add the uin to
it's contact list.
II. Impact
**********
When a webmaster creates a page containing the exploit code, he will
automaticly be added to the victims contact list.
This bug can be exploited against almost any program which uses IE to
display web content.
III. Exploit
*************
It's easy to (ab)use the ICQ web server using search.dll, having it
send the correct response, using following HTML code:
<HTML>
The above HTML code will add <uin>* to the victims contact list.
The bottom line is to get the victim to surf to the script on ICQ's
If the HTML code is in- or badly visible, download the text version at:
IV. Solution
V. Credits
Greets to: f0bic, Incubus, R00T-dude, cicer0, vorlon, sentinel, oPr,
-- t-Omicr0n @ http://t-Omicr0n.hexyn.be
<META HTTP-EQUIV="REFRESH" CONTENT="0;URL=http://wwp.icq.com/scripts/search.dll?to=
</HTML>
website: http://wwp.icq.com/scripts/search.dll?to=
*Where <uin> is the attackers UIN.
http://t-Omicr0n.hexyn.be/Hexyn-sa-22.txt
*************
At this time, no patch from ICQ is available yet.
Using Opera Internet Browser will fix the problem, other browsers are
yet to be tested.
***********
Bug discovered by t-Omicr0n <tvb71@hotmail.com>
Reggie, F_F, Shaolin_p, Segfau|t, NecrOmaN, Zym0t1c, l0r3, Preat0r,
T0SH, zeroX, AreS, tips, Lacrima, GigaByte,...
...and everyone at #securax@irc.hexyn.be
Relevant Pages
... Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users ... window, (while "Microsoft's viewer" was enabled ... in the options) the META tag was read and executed and the preview window ...
(Bugtraq)
... Forcing ICQ to Add Arbitrary Users to the Friends List ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... (where <uin> is an ICQ UIN) ... It's easy to cause the ICQ web server to send back the file format (as ...
(Securiteam)
