Bugtraq mailing list archives
Re: ICQ and MSIE allow execution of arbitrary code
From: Stan Bubrouski <stan () ccs neu edu>
Date: Wed, 17 Jul 2002 10:39:48 -0400
Jelmer wrote:
Outline<<
<SNIP>
It does infact allow you to run code of your choosing on a victims machine by creating a specially crafted webpage and sound scheme file
Your absolutely correct. I can confirm this on: ICQ: 2000b (The problem goes back 3 years!) OS: Windows 2000 Professional SP2 (With all hotfixes and windows updates) IE: 6.0.2600.0000 (again, with ALL latest fixes/patches and windows updates)So what we have here is a rather serious flaw, which affects all versions of ICQ from at least version 2000b onward...and I am told (yeah I know, hearsay) this is working on 2000a as well. Jelmer's workaround of changing the SCM extension in folder options does appear to do the job, although I recommend unmapping the extension alltogether... or turning off scripting entirely as this is VERY easy to exploit and extremely
serious... -Stan Bubrouski
Explaination and example<<I have created an example exploit on http://www.xs4all.nl/~jkuperus/icq/icq.htm that starts a little flame program It works as followed the default action for icq soundscheme (scm) files is open it places the wav files included with the scm file in a known location on the hard disk. flame.scm wil be downloaded and installed in C:\Program Files\ICQ\Sounds\flame[1] the scm file i use creates a auth.wav file . In reality however this is not a wav file but a mht (mail archive file) with en embeded base64 encoded executable then i use one of the many available local code execution vulnerabilities found in internet explorer recently to execute the embedded binary with this url : mhtml:file:///C:/Program%20Files/ICQ/Sounds/flame/Auth.wav!file:///C:/fire.e xe I dont think its necisary to use one of ie's exploit as you can also call html files in the mht archive, But for some reason i wasn't able to get this to work right away.Workaround <<For a short term solution open explorer (the file manager not the browser) go to the file types tab in tools > folder options locate the scm extention and change the default behaviour to prompt before download In the long term icq will have to use something like random foldernames for soundschemes to prefent this from happening
Current thread:
- ICQ and MSIE allow execution of arbitrary code Jelmer (Jul 16)
- Re: ICQ and MSIE allow execution of arbitrary code Stan Bubrouski (Jul 18)
- <Possible follow-ups>
- Re: ICQ and MSIE allow execution of arbitrary code Jelmer (Jul 19)