Re: ICQ and MSIE allow execution of arbitrary code

["Jelmer" <jelmer () kuperus xs4all nl>]

Please note then that you probably must disable scripting in all zones for
it to work as you can also embed and call html files in the mht file wich
will be called from the local computer zone.
My exploit uses a previously posted internet explorer vulnerability

That allows you to run programs but doesn't allow you to pass parameters ,
so for most purposes its pretty useless other then getting the (generaly
clueless) media in an uproar The only program capable of causing some
anoyance when called with this exploit is logof.exe found on NT, 2000 and XP
wich is really the best you can do with this sort of thing without being
able to specify parameters, Not to downplay the importance of these findings
but they are generally misunderstoud, my exploit leverages this and allows
you to be the one that decides what gets run now you can install trojans,
delete harddisk, send yourself to all your icq contacts you name it , the
posibilities are endless

However most likely it doesnt require it as stated previously, as you can
embed html files in the mht archive aswell that would then be excecuted in
the local zone ( I just didn't get it to work right away and was a little
pressed for time so I chose the easy way out and used one of the the many
available unpatched vulnerability to prove my point)

--
  jelmer


----- Original Message -----
From: "Stan Bubrouski" <stan () ccs neu edu>
To: "Jelmer" <jelmer () kuperus xs4all nl>
Cc: <bugtraq () securityfocus com>
Sent: Wednesday, July 17, 2002 4:39 PM
Subject: Re: ICQ and MSIE allow execution of arbitrary code


> Jelmer wrote:
>
> > > > Outline<<
>
> <SNIP>
>
> > It does infact allow you to run code of your choosing on a victims
machine
> > by creating a specially crafted webpage and sound scheme file
>
> Your absolutely correct.  I can confirm this on:
>
> ICQ: 2000b (The problem goes back 3 years!)
> OS: Windows 2000 Professional SP2 (With all hotfixes and windows updates)
> IE: 6.0.2600.0000 (again, with ALL latest fixes/patches and windows
updates)
> So what we have here is a rather serious flaw, which affects all
> versions of  ICQ from
> at least version 2000b onward...and I am told (yeah I know, hearsay)
> this is working
> on 2000a as well.  Jelmer's workaround of changing the SCM extension in
> folder
> options does appear to do the job, although I recommend unmapping the
> extension
> alltogether... or turning off scripting entirely as this is VERY easy to
> exploit and extremely
> serious...
>
> -Stan Bubrouski
>
> > > > Explaination and example<<
> >
> > I have created an example exploit on
> >
> > http://www.xs4all.nl/~jkuperus/icq/icq.htm
> >
> > that starts a little flame program
> >
> > It works as followed
> >
> > the default action for icq soundscheme (scm) files is open it places the
wav
> > files included with the scm file in a known location on the hard disk.
> >
> > flame.scm wil be downloaded and installed in C:\Program
> > Files\ICQ\Sounds\flame[1]
> > the scm file i use creates a auth.wav file .
> >
> > In reality however this is not a wav file but a mht (mail archive file)
with
> > en embeded base64 encoded executable
> >
> > then i use one of the many available local code execution vulnerabilities
> > found in internet explorer recently to execute the embedded binary with
this
> > url :
>
> mhtml:file:///C:/Program%20Files/ICQ/Sounds/flame/Auth.wav!file:///C:/fire.
e
> > xe
> >
> > I dont think its necisary to use one of ie's exploit as you can also call
> > html files in the mht archive, But for some reason i wasn't able to get
this
> > to work right away.
> >
> >
> >
> >
> > > > Workaround  <<
> >
> > For a short term solution
> >
> > open explorer (the file manager not the browser)
> > go to the file types tab in  tools > folder options
> >
> > locate the scm extention and change the default behaviour to prompt
before
> > download
> >
> > In the long term icq will have to use something like random foldernames
for
> > soundschemes to prefent this from happening