[26226] in bugtraq
Re: ICQ and MSIE allow execution of arbitrary code
daemon@ATHENA.MIT.EDU (Stan Bubrouski)
Thu Jul 18 22:58:46 2002
Message-ID: <3D3581B4.7050903@ccs.neu.edu>
Date: Wed, 17 Jul 2002 10:39:48 -0400
From: Stan Bubrouski <stan@ccs.neu.edu>
MIME-Version: 1.0
To: Jelmer <jelmer@kuperus.xs4all.nl>
Cc: bugtraq@securityfocus.com
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Jelmer wrote:
>>>Outline<<
>>>
>>>
<SNIP>
>It does infact allow you to run code of your choosing on a victims machine
>by creating a specially crafted webpage and sound scheme file
>
>
Your absolutely correct. I can confirm this on:
ICQ: 2000b (The problem goes back 3 years!)
OS: Windows 2000 Professional SP2 (With all hotfixes and windows updates)
IE: 6.0.2600.0000 (again, with ALL latest fixes/patches and windows updates)
So what we have here is a rather serious flaw, which affects all
versions of ICQ from
at least version 2000b onward...and I am told (yeah I know, hearsay)
this is working
on 2000a as well. Jelmer's workaround of changing the SCM extension in
folder
options does appear to do the job, although I recommend unmapping the
extension
alltogether... or turning off scripting entirely as this is VERY easy to
exploit and extremely
serious...
-Stan Bubrouski
>
>
>>>Explaination and example<<
>>>
>>>
>
>I have created an example exploit on
>
>http://www.xs4all.nl/~jkuperus/icq/icq.htm
>
>that starts a little flame program
>
>It works as followed
>
>the default action for icq soundscheme (scm) files is open it places the wav
>files included with the scm file in a known location on the hard disk.
>
>flame.scm wil be downloaded and installed in C:\Program
>Files\ICQ\Sounds\flame[1]
>the scm file i use creates a auth.wav file .
>
>In reality however this is not a wav file but a mht (mail archive file) with
>en embeded base64 encoded executable
>
>then i use one of the many available local code execution vulnerabilities
>found in internet explorer recently to execute the embedded binary with this
>url :
>
>mhtml:file:///C:/Program%20Files/ICQ/Sounds/flame/Auth.wav!file:///C:/fire.e
>xe
>
>I dont think its necisary to use one of ie's exploit as you can also call
>html files in the mht archive, But for some reason i wasn't able to get this
>to work right away.
>
>
>
>
>>>Workaround <<
>>>
>>>
>
>For a short term solution
>
>open explorer (the file manager not the browser)
>go to the file types tab in tools > folder options
>
>locate the scm extention and change the default behaviour to prompt before
>download
>
>In the long term icq will have to use something like random foldernames for
>soundschemes to prefent this from happening
>
>
>
>
>
