Re: icq 2000 ads

[Thierry <thierry () PURGE-IT COM>]

>   Has anyone checked the actual data received from

Yes. (see my previous post)

> http://cb.icq.com/cb/431/datafiles/regupdat.cb ??
>   There appears to be the possibility of forging/hacking/spoofing the domain
> and generating a custom cb file. The data I received has a registry key
> included in it, one that *may* be capable of being changed to anything (
> HKCU/Software/Windows/CurrentVersion/Run sound likely?) and therefore a
> virus/trojan/worm etc could be downloaded or run at next bootup.

Yup.
using ftp.exe as example. still it would need immediate internet
connection.

> [part of the .cb file I just retrieved]
> <root>
>         <item>
>                 <version>431</version>
>                 <from>430</from>
>                 <to>431</to>
>                 <key>Software\Mirabilis\ICQ\DefaultPrefs\</key>
>                 <item>MOTDTime</item>
>                 <deletekey>false</deletekey>
>                 <type>2</type>
>                 <value>t</value>
>                 <binary>
>                         <param>
>                                 <_type>integer</_type>
>                                 <val>30</val>
>                         </param>
>                 </binary>
>         </item>
> .....
>
>   Allowing any program to automatically update the registry from an online
> script is not my idea of security. Possibly this is an area that should be
> inspected and checked to ensure Mirabilis has locked in limits to the registry
> keys they permit their .cb files to alter.
>   My firewall detected access to this URL even though I have specifically
> requested that ICQ not attempt to update itself through both configuration and
> registry. I have now locked this domain out while I have ICQ running and after
> a few minutes, ICQ stops trying to connect and force an update I have no wish
> to do.
>
> Aussie
>
> PGP Key Block available at:
> http://aussie.mine.nu/aussie/pgp_key.txt

An forged host entry (host.) would be enough to redirect the url access
to an forged reg upd. Still this would require the attacker to already
have breached the system.


=======================================================================
______ ___
\_   _\\  \  Security                      |  Thierry Z.
  \  \  \  \__ 0-day everyday              |  http://www.Sniff-em.com
   \__\  \____\ http://www.TLSecurity.net  |  http://www.Purge-It.com

"Military justice is to justice what military music is to music."
-- Groucho Marx