Vulnerability Development mailing list archives
Re: icq 2000 ads
From: Thierry <thierry () PURGE-IT COM>
Date: Thu, 22 Feb 2001 20:26:53 +0000
Has anyone checked the actual data received from
Yes. (see my previous post)
http://cb.icq.com/cb/431/datafiles/regupdat.cb ?? There appears to be the possibility of forging/hacking/spoofing the domain and generating a custom cb file. The data I received has a registry key included in it, one that *may* be capable of being changed to anything ( HKCU/Software/Windows/CurrentVersion/Run sound likely?) and therefore a virus/trojan/worm etc could be downloaded or run at next bootup.
Yup. using ftp.exe as example. still it would need immediate internet connection.
[part of the .cb file I just retrieved] <root> <item> <version>431</version> <from>430</from> <to>431</to> <key>Software\Mirabilis\ICQ\DefaultPrefs\</key> <item>MOTDTime</item> <deletekey>false</deletekey> <type>2</type> <value>t</value> <binary> <param> <_type>integer</_type> <val>30</val> </param> </binary> </item> ..... Allowing any program to automatically update the registry from an online script is not my idea of security. Possibly this is an area that should be inspected and checked to ensure Mirabilis has locked in limits to the registry keys they permit their .cb files to alter. My firewall detected access to this URL even though I have specifically requested that ICQ not attempt to update itself through both configuration and registry. I have now locked this domain out while I have ICQ running and after a few minutes, ICQ stops trying to connect and force an update I have no wish to do. Aussie PGP Key Block available at: http://aussie.mine.nu/aussie/pgp_key.txt
An forged host entry (host.) would be enough to redirect the url access to an forged reg upd. Still this would require the attacker to already have breached the system. ======================================================================= ______ ___ \_ _\\ \ Security | Thierry Z. \ \ \ \__ 0-day everyday | http://www.Sniff-em.com \__\ \____\ http://www.TLSecurity.net | http://www.Purge-It.com "Military justice is to justice what military music is to music." -- Groucho Marx
Current thread:
- icq 2000 ads, (continued)
- icq 2000 ads percival (Feb 20)
- Re: icq 2000 ads Jeffrey R Eaves (Feb 21)
- Re: icq 2000 ads Sander Smeenk (CistroN Medewerker) (Feb 21)
- Message not available
- Re: icq 2000 ads Thierry (Feb 21)
- icq 2000 ads percival (Feb 20)
- Re: Icq 2000 ads Usman Akeju (Feb 21)
- Re: icq 2000 ads Aussie (Feb 21)
- icq 2000 ads percival (Feb 21)
- Re: icq 2000 ads Blue Boar (Feb 21)
- Re: icq 2000 ads Ron DuFresne (Feb 23)
- Re: icq 2000 ads Aussie (Feb 22)
- Re: icq 2000 ads Thierry (Feb 22)
- Re: icq 2000 ads Morten Johansen (Feb 22)
- Re: icq 2000 ads Shoten (Feb 23)
- Re: icq 2000 ads Thierry (Feb 22)