RE: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users

[Chris <wickedc () suscom-maine net>]

> I suspect this bug is also exploitable from HTML email by including the
> magic ICQ URL in an <IFRAME> tag embedded in the message.
>
> Richard

This could also be exploited through html using the refresh meta tag...
When viewing the originating email of this thread in the eudora 5.0 preview 
window, (while "Microsoft's viewer" [which is really just IE] was enabled 
in the options) the META tag was read and executed and the preview window 
was refreshed to show "[ICQ User] UIN= Email= NickName= FirstName= LastName="

I suspect this information was displayed rather then executed due to the 
fact that i don't have ICQ installed on this machine, and therefore no mime 
type exists for such content on this machine. I was unable to test this 
with ICQ installed since windows' and AOL's programming (mirabillis is 
owned by AOL, don't you know?) makes ICQ crash every time its started.

However, this shows that its possible for a refresh meta tag to effect a 
PREVIEW window and execute the add user content. Can We Say, "Email Tracking"?

This could be (scarily) used by spammers to track valid email addresses. 
With a simple program to interface with ICQ or an ICQ dummy client (that 
only listens for "User has added you" messages), the spammer would be able 
to verify the email address through the email address listed in the ICQ 
user's profile, the spammer now also has the user's ICQ number, giving them 
yet another medium to spam over.

Just more scary they're-all-out-to-get-you things to think about =)

- Chris


> -----Original Message-----
> From: AreS [mailto:ares () security-downloads com]
> Sent: Wednesday, August 22, 2001 6:14 PM
> To: BUGTRAQ () SECURITYFOCUS COM
> Subject: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users
>
>
> Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users
>
> Topic: ICQ Forced Auto-Add Users
> Announced: 2001-08-17
> Affects: ICQ 200x* up to 2001a Alpha
>
> DISCLAIMER:
> ***********
> THE ENTIRE ADVISORY HAS BEEN  BASED  UPON   TRIAL  AND  ERROR  RESULTS.
> THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS  100%  CORRECT.
> THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT  PRIOR  NOTICE.
>
> I. Problem Description
> **********************
> ICQ is a popular and free chat program, with over 108,022,319 users all
> over the world.  When ICQ is  installed,  it  adds  a  Content-Type  to
> Microsoft Internet Exploder, the "application/x-icq" type. When IE
> receives  "Content-Type: application/x-icq" from  a web  server and
> following content: