[22416] in bugtraq
RE: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users
daemon@ATHENA.MIT.EDU (Chris)
Sat Aug 25 04:21:00 2001
Message-Id: <5.0.2.1.0.20010824234022.009f5ec0@pop.blazenetme.net>
Date: Sat, 25 Aug 2001 00:13:19 -0400
To: BUGTRAQ@securityfocus.com
From: Chris <wickedc@suscom-maine.net>
In-Reply-To: <000801c12cc3$4ee415a0$0f01a8c0@tiac.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
>I suspect this bug is also exploitable from HTML email by including the
>magic ICQ URL in an <IFRAME> tag embedded in the message.
>
>Richard
This could also be exploited through html using the refresh meta tag...
When viewing the originating email of this thread in the eudora 5.0 preview
window, (while "Microsoft's viewer" [which is really just IE] was enabled
in the options) the META tag was read and executed and the preview window
was refreshed to show "[ICQ User] UIN= Email= NickName= FirstName= LastName="
I suspect this information was displayed rather then executed due to the
fact that i don't have ICQ installed on this machine, and therefore no mime
type exists for such content on this machine. I was unable to test this
with ICQ installed since windows' and AOL's programming (mirabillis is
owned by AOL, don't you know?) makes ICQ crash every time its started.
However, this shows that its possible for a refresh meta tag to effect a
PREVIEW window and execute the add user content. Can We Say, "Email Tracking"?
This could be (scarily) used by spammers to track valid email addresses.
With a simple program to interface with ICQ or an ICQ dummy client (that
only listens for "User has added you" messages), the spammer would be able
to verify the email address through the email address listed in the ICQ
user's profile, the spammer now also has the user's ICQ number, giving them
yet another medium to spam over.
Just more scary they're-all-out-to-get-you things to think about =)
- Chris
>-----Original Message-----
>From: AreS [mailto:ares@security-downloads.com]
>Sent: Wednesday, August 22, 2001 6:14 PM
>To: BUGTRAQ@SECURITYFOCUS.COM
>Subject: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users
>
>
>Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users
>
>Topic: ICQ Forced Auto-Add Users
>Announced: 2001-08-17
>Affects: ICQ 200x* up to 2001a Alpha
>
>DISCLAIMER:
>***********
>THE ENTIRE ADVISORY HAS BEEN BASED UPON TRIAL AND ERROR RESULTS.
>THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS 100% CORRECT.
>THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT PRIOR NOTICE.
>
>I. Problem Description
>**********************
>ICQ is a popular and free chat program, with over 108,022,319 users all
>over the world. When ICQ is installed, it adds a Content-Type to
>Microsoft Internet Exploder, the "application/x-icq" type. When IE
>receives "Content-Type: application/x-icq" from a web server and
>following content:
