[22400] in bugtraq
Re: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users
daemon@ATHENA.MIT.EDU (Gustavo Molina)
Fri Aug 24 10:50:29 2001
From: Gustavo Molina <gustavobt@molina.com.br>
To: bugtraq@securityfocus.com
Date: Fri, 24 Aug 2001 10:36:20 -0300
Reply-To: gustavobt@molina.com.br
Message-ID: <i7kcotcm7brojgrr89meqvtegaklkkhqiq@4ax.com>
In-Reply-To: <17917533745.20010823001410@security-downloads.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
On Wed, 22 Aug 2001 19:23:28 -0300 (SPO) , AreS <ares@security-downloads.com>
(AreS) wrote:
>IE will automaticly download the content and make ICQ add the uin to
>it's contact list.
>
>II. Impact
>**********
>When a webmaster creates a page containing the exploit code, he will
>automaticly be added to the victims contact list.
>This bug can be exploited against almost any program which uses IE to
>display web content.
I believe the impact can be more serious than that. Using Javascript, one can
easily add hundreds of random users, Then the victim will have a lot of trouble
to know who was added and who was alredy on his contact list, as they'll be
mixed.
Privacy-wise, that's an easy way for a site to know who the remote user is,
because of the message "you were added". The webmaster would have, in most
cases, the complete name and e-mail of the person who accessed the site, even if
the user is behind a proxy or firewall.
>
>III. Exploit
>*************
>It's easy to (ab)use the ICQ web server using search.dll, having it
>send the correct response, using following HTML code:
>
><HTML>
><META HTTP-EQUIV="REFRESH" CONTENT="0;URL=http://wwp.icq.com/scripts/search.dll?to=<uin>">
></HTML>
It works on any page, not only ICQ's. As a proof-of-concept, using 1 line of
perl, I setup this http://www.molina.com.br/icq.html
>IV. Solution
>*************
>At this time, no patch from ICQ is available yet.
And probably won't be. I believe they'll consider this more like a feature than
a bug. Otherwise they wouldn't have implemented this. The problem is that they
didn't realized someone could add hundreds of UIN's on other's lists. This is
can be serious.
One workaround is through the registry.
Just replace
My Computer\HKEY_CLASSES_ROOT\icquser\shell\open\command
for whatever you want. If you leave it blank, you'll receive a warning, and will
know someone tried to exploit it. Using a custom program, you can log the UIN.
As far as I tested, it didn't break any ICQ functionality, but I cannot
garantee.
[]'s
Gustavo Molina
Network Administrator - Sao Paulo - Brazil
