Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
|
|
|
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
ICQ Instant Messaging Client Can Be Crashed When Malformed '.hpf' Files are Loaded
|
Date: Apr 23 2002
|
Impact: Denial of service via local system, Denial of service via network
|
Exploit Included: Yes
|
Version(s): 2002a #3722
|
Description: A vulnerability was reported in the ICQ chat software. A remote user can create HTML with a certain embedded file extension to cause the ICQ client to crash.
A remote user can create an HTML file that, when loaded on the target (victim) user's browser, will cause a file with a .hpf extension
to be loaded. Apparently, ICQ registers the .hpf (ICQ Home Page Factory) file extension with Windows upon installation. A malformed
.hpf file will reportedly cause ICQ to crash.
A demonstration exploit file is available at:
http://sztolnia.pl/hack/icqkiller/icqkiller.hpf
|
Impact: A remote user can cause another user's ICQ client to crash.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.icq.com/ (Links to External Site)
|
Cause: Exception handling error
|
Underlying OS: Windows (Any)
|
Reported By: <silentsupporter@poczta.onet.pl>
|
Message History:
None.
|
Source Message Contents
|
Date: 14 Apr 2002 13:25:07 -0000
From: <silentsupporter@poczta.onet.pl>
Subject: Possible vulnerabilities of ICQ files opened in IE or OE
|
Hello everybody,
Sorry for my lingo, but I had to learn it in a huge pain.
However, if you don't like or cannot understand it, try
to learn polish instead [gotcha =o)]
Maybe it's an old topic, but maybe not.
While playing with ICQ i have found that the program
registers for its own use files with .uin extension. Of
course it's not a big deal, but what's really interesting,
is about to be described in a moment.
.uin files may be opened from any homepage and
Internet Explorer does not ask for confirmation while
opening them.
After I had found it out, the next idea was to:
-check other file extensions in Registry that are
registered by ICQ
-test if the browser opens them in the same way as
above
ICQ registers the following extensions in Registry
- .pnq - ICQ Plugin
- .scm - ICQ Sound Scheme
- .uin - ICQ User
- .hpf - ICQ Home Page Factory
What I did was very trivial. I created some test files
and then I clicked them one by one in Windows
Explorer. The prize was waiting with a .hpf extension.
A simple file with few lines of text inside, when
clicked, it killed my ICQ at once.
So, the next step was to check if it works from the
Internet. It did, aussi.
I am too busy at the moment to play with a debugger
and look further for real exploits, but i bet it is
possible to find some, because according to the way
it worked while i've been testing, ICQ does not check
the content of the files before usage. I bet that some
vulnerable code should be really easy to create.
Conclusion:
The first impression is that it may be used to kill ICQ
only, but i bet that running specific code would be
possible too. If you remember that it may be opened
through Internet Explorer without notice, a lot of
possible scenarios come to mind at once - does
attachement for OE sound familiar =o)? It works.
Worms may use it easily.
To test what was described above:
- run ICQ
- go to my home page and open this link
http://sztolnia.pl/hack/icqkiller/icqkiller.hpf
it contains only few lines of text
Tested on
IE 6.0
ICQ 2002a #3722
Off-topic:
As this is my first post to bugtraq i want to introduce
myself in just a second. My name is Adam
Blaszczyk, I am the author of two books about
computer viruses and malware published in 1998
and 2001 and around 20 articles about security and
malware, published in leading computer magazines
in Poland. I love my wife Ka Kee and i wait
impatiently till she come to me from Hong Kong in
June, 2002. I mention here cuz ... I miss her like hell,
hope you don't mind guys =o)
Adam Blaszczyk
silentsupporter_poczta_onet_pl
|
|
Go to the Top of This SecurityTracker Archive Page
|
