exploit the possibilities


Posted Jan 21, 2000
Site oliver.efri.hr

OS tested was Windows 2000 and ICQ v99b ICQ is a very popular chat client that is affected by a exploitable buffer overflow when it parses an URL sent by another user. What this means is that arbitary assembly code can be run on the remote machine.

tags | exploit, remote, overflow
systems | windows, 2k
MD5 | 9998385f5f48e4537086965b5792b345


Change Mirror Download



Icq v99b


Drew Copley found following. OS tested was Windows 2000 and ICQ
v99b ICQ is a very popular chat client that is affected
by a exploitable buffer overflow when it parses an URL sent by
another user. What this means:

* one, arbitary assembly code can be run on the remote machine.
(Therefore, a shell could be spawned, a trojan executed, or
perhaps easiest of all the hard drive could be wiped.)

* two, this did not take very long to find, and generally, if
there is not bounds checking in one place, then there is not
going to be bounds checking in other places as well. While ICQ
is not likely to be run on a "hub of commerce" server... it is
run on millions of systems, and someone could use a script to
spam these millions of systems with such an URL... from there
a timed distributed network attack could be launched. (Timed
because of the dynamic IP's).

When sending a URL link through a message in ICQ, it is possible
to overflow the buffer and control the instruction execution.
<FONT COLOR="#00FF00">
The exclamation marks are where EBP is overwritten. The four
characters after that are where EIP is overwritten. This link
puts a jump esp into the EIP, bringing the flow of execution back
into the buffer to the place right at the end of the URL, after
the last NOP's after the EIP (tested on w2k final beta).

So, basically, you just tack the exploit code onto the end of the
URL above, and the machine will run it. It should be pretty easy
to jump the stack as well. Some characters are not allowed,
making this slightly more difficult. ",", opcode 2C is not
allowed, "]"'s are not allowed, and opcode "01" is not allowed.
Pretty much anything else is.

Explicit example would be as it follows. You click on someone in
your ICQ to send them a message, you cut and past the above code
into the message. When they receive and click on the link to
jump to the location the exploit code tacked onto the end would
be executed.

To tack the exploit assembly code on there, write it up, asssemble
it... get the opcodes, then use something like UltraEdit32 to
paste the binary characters onto the end of the URL. Such code
may be pieced together from freeware assembly scripts and etc.

However, some people believe that buffer overflow is in the
regular text messages, NOT the URL messages. ICQ usually parses
and highlights URL's typed into messages. When sending a really
long URL in a message with the same version of ICQ under Windows
98 the client will crash as soon as you click on the URL. It
will also die if you open up the message in the history and click
on the URL. The overflow doesn't happen just by viewing the
message - you have to click on the URL. If that's the case, you
might just be able to avoid the problem by not clicking on those
long urls.

One way to duplicate bad behaviour is to:
<FONT COLOR="#00FF00">
- Copy the original URL from the original notice (sites.yahoo etc)
to include the binary exclamation marks et. all.
- Downloaded complied assembly code for a little cube generator
and open in UE32.
- Paste in the URL etc.
- Copy all of it and paste it into the URL section of ICQ's send
a web address.
- Con your wife into opening the URL.
- Listen to her bitch at you for crashing her computer.
Doing this did not execute the binary code that was placed at the
end of the URL but did cause an unwanted, adverse reaction from
the OS Win 98 Release1. That resulted in a reboot.

Somehow you cant send normal messages with more than 450
characters or whatever but if you start with http://www... ICQ
doesnt seem to check it and messages with 2000 characters were no


Fix: Don't accept communication with people you don't know. Test
your software yourself for bugs, especially under Windows where
incidents are not likely to quickly end up in CERT or similiar

There is a much simpler fix available, go into the Preferences
window, select the Events tab, select the URL setting on the
"Select Event to Configure" combobox and then select "Auto
Decline." This appears to shut down the http event.


RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2019 Packet Storm. All rights reserved.

Security Services
Hosting By