Re: Win32 ICQ 98a flaw

[loki () LNETI COM (Locke Nash Cole)]

You can also do this in the popular mIRC IRC Client, althou it has no "Open"
option so there is a less chance of the person running it, however in
explorer

"mypic..bmp
.exe"
Kinda looks like a bmp the .exe is hard to see on some view modes, and if
you opened the .exe file up in borland's resource editor (or any similar
editor) and changed the exe files icon to that of mspaint.exe a person
(sometimes even an advanced user) will double click anyway without seeing
the far off .exe portion of the filename..

Also if they look in their status window they may discover the .exe, althou
if you use a special dos program to write files to filenames that aren't
normally allowed (with mIRC's CTRL-K color code) you could make the .exe
part invisible in the status window...
using CTRL+K0 for white text, and most people use the default white text
background on the status window.


I'm sure Eudora/Outlook Express could easily fool a user also into doing the
same thing..

----- Original Message -----
From: Justin Clift <vapour () DIGITALDISTRIBUTION COM>
To: <BUGTRAQ () NETSPACE ORG>
Sent: Thursday, December 31, 1998 10:20 PM
Subject: Win32 ICQ 98a flaw


> Hello everyone,
>
> A while ago I found a flaw in ICQ which I believe to be fairly serious and
> asked whom to notify.  Thanks for everyone's assistance in this.  :-)
>
> I notified Mirabilis and they have totally failed to respond (I've waited
> about 2 weeks), so I'll now submit it here.
>
> It's a very simple flaw.  At present I've only tested on the Win32 ICQ 98a
> 1.30 version, and have not tested on ICQ99 nor on other platforms.
>
> Here is how it works : When a person is sending a file to another user on
> ICQ, the person receiving the file has a window pop up which shows the
> filename, a description entered by the sender, and options of where to save
> or not save etc.
>
> I've found there isn't a check on the length of the filename being sent.
> The pane in the pop-up window will display as much of the filename as it
> can, and if the filename is longer that the pane, the ending remainder
won't
> be displayed.
>
> Therefore a simple attack is possible, sending a file named (for example) :
>
> "leah2.jpg
> .exe"
>
> will display leah2.jpg to the receiving user whom will only see "leah2.jpg"
> in the pop-up window and assume it is a harmless picture file for example,
> not executable code.
>
> This is very bad considering ICQ has the option of 'OPEN'ing the file once
> the transfer is completed.  Many people do this to have the picture
> displayed to them (by the program associated with the extension).  In the
> case of this exploit, the executable code will be run instead of the
program
> the victim is expecting.  A craftily coded program would be able to do both
> so as to avoid suspicion on the part of the victim.
>
> One thing I have noted in testing is that on one person's system running
> Win95 this did not work.  His computer renamed the file to .zip on
receiving
> which stopped the file executing.  I don't know why and as far as I have
> been able to find out (I haven't had physical access to his PC) this is due
> to his personal configuration and is not the norm.
>
> One additional thing should considered also, and I don't yet have the time
> and ability to do so; is a buffer overflow exploit present here or in other
> versions which allows remote automatic code execution?  This depends on the
> program and the protocol, of course.  It could be *very* bad.
>
> Regards and best wishes,
>
> + Justin Clift
> Digital Distribution
> www.digitaldistribution.com