RE: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users

From: Richard M. Smith (rms@privacyfoundation.org)
Date: 08/24/01 

From: rms@privacyfoundation.org (Richard M. Smith)
To: "'AreS'" <ares@security-downloads.com>, <BUGTRAQ@SECURITYFOCUS.COM>
Subject: RE: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users
Date: Fri, 24 Aug 2001 13:36:24 -0400
Message-ID: <000801c12cc3$4ee415a0$0f01a8c0@tiac.net>

I suspect this bug is also exploitable from HTML email by including the
magic ICQ URL in an <IFRAME> tag embedded in the message.

Richard

-----Original Message-----
From: AreS [mailto:ares@security-downloads.com]
Sent: Wednesday, August 22, 2001 6:14 PM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users

Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users

Topic: ICQ Forced Auto-Add Users
Announced: 2001-08-17
Affects: ICQ 200x* up to 2001a Alpha

DISCLAIMER:
***********
THE ENTIRE ADVISORY HAS BEEN BASED UPON TRIAL AND ERROR RESULTS.
THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS 100% CORRECT.
THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT PRIOR NOTICE.

I. Problem Description
**********************
ICQ is a popular and free chat program, with over 108,022,319 users all
over the world. When ICQ is installed, it adds a Content-Type to
Microsoft Internet Exploder, the "application/x-icq" type. When IE
receives "Content-Type: application/x-icq" from a web server and
following content:

Loading