ICQLite executable trojaning

From: 3APA3A (3APA3A_at_SECURITY.NNOV.RU)
Date: 05/29/03

Next message: aresu_at_bosen.net: "Philboard Forum Vulnerability"

Previous message: Mark Litchfield: "IIS WEBDAV Denial of Service attacks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 29 May 2003 15:22:47 +0400
To: bugtraq@securityfocus.com, bugtraq <bugtraq@SECURITY.NNOV.RU>

bugtraq@,

Title: ICQ Lite executable trojaning
Affected: ICQLite 2003a
Vendor: ICQ Inc
Vendor URL: http://www.icq.com
Risk: Average
Exploitable: Yes
Remote: No
Date: May, 29 2003
Advisory URL: http://www.security.nnov.ru/advisories/icqlite.asp

I. Intro:

ICQ Lite is popular internet messenger software. This is only ICQ
version which requires no elevated privileges (such as Power User) to
work, so, it's often used by corporate users and on public computers.

II. Problem:

During installation ICQLite silently adds

Intercative Users: Full Control

ACE to ACLs for Program Files\ICQ Lite directory.

It makes it possible to replace any executable file in this directory
and to obtain privileges of user launching ICQ Lite.

III. Workaround

Replace "Full Control" with "Change" permission for installation
directory and to "Read" permissions for all executable files (.exe and
.dll's).

-- 
http://www.security.nnov.ru
         /\_/\
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)

Next message: aresu_at_bosen.net: "Philboard Forum Vulnerability"

Previous message: Mark Litchfield: "IIS WEBDAV Denial of Service attacks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]