exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

INFIGO-2008-04-08.txt

INFIGO-2008-04-08.txt
Posted Apr 16, 2008
Authored by Leon Juranic | Site infigo.hr

INFIGO IS's security team has identified a critical remote buffer overflow vulnerability in the latest ICQ version (ICQ 6.0).

tags | advisory, remote, overflow
SHA-256 | f15fcb7c39b1de855c85925767b7a551daaddf85fabc42a30d0971f234fc959e

INFIGO-2008-04-08.txt

Change Mirror Download
                                                                     

INFIGO IS Security Advisory #ADV-2008-04-08
http://www.infigo.hr/en/



Title: ICQ 6 remote buffer overflow vulnerability
Advisory ID: INFIGO-2008-04-08
Date: 2008-04-14
Advisory URL: http://www.infigo.hr/en/in_focus/advisories/INFIGO-2008-04-08
Impact: Remote code execution
Risk Level: High
Vulnerability Type: Remote


==[ Overview

ICQ (I Seek You) Instant Messenger is one of the most popular internet
chat software. Since 1996, it has grown to a community of over 180
million users. It has features for instant messaging, chat, sending
e-mail, SMS, file transfer, wireless-pager messages, etc.


==[ Vulnerability

INFIGO IS's security team identified a critical remote buffer overflow
vulnerability in the latest ICQ version (ICQ 6.0). In newer versions,
ICQ has a 'Personal Status Manager' feature, where a user can specify
text messages for his status/mood (online/offline/etc.). The specified
message will be visible in the title part of a remote user's ICQ chat
window, when a chat session is initiated.

When a user writes a message in the status manager, the text string is
processed with the boxelyRenderer module. The boxelyRenderer module has
a vulnerability in the HTML tags processing code. If malformed HTML tags
are set for the 'status message', boxelyRenderer will try to process the
HTML tags, and a UNICODE heap overflow will occur.

The 'status' string from a remote user is processed by boxelyRenderer
for each new chat session. If the remote user has a malicious 'status
message', ICQ's heap memory will be overflowed.

Upon setting, the status message is sent to ICQ's servers, and will be
stored on them. When another user looks up the malicious user's profile,
or tries to send him a message, even if the malicious user is offline,
the ICQ client will receive the malicious status message from ICQ's
server. In other words, once the malicious user sets his status message,
he doesn't have to be online in order to exploit other vulnerable ICQ
clients.

There are few different exploitation paths for this vulnerability, and
they depend on user actions in ICQ and the current heap state.

Below is an example of malicious HTML code that will crash ICQ:

------
|<a href="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"><img
src="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" border="0" /></a>|
------

When a user sets this HTML code as his 'status message',
ICQ/boxelyRenderer will process it and ICQ will crash. To prevent this,
open ICQ in debugger and set it to ignore INT3 and memory violation
exceptions.

We identified two exploitable scenarios:

Scenario 1:

In this scenario, the ESI register has our input, so we control the EIP
register at the 'CALL' instruction.

boxelyRE:
------
MOV EDX, DWORD PTR DS:[ESI]
PUSH 5A
LEA EAX, DWORD PTR SS:[EBP-2A0]
PUSH EAX
MOV ECX, ESI
CALL DWORD PTR DS:[EDX+8] <- HERE
-------

Scenario 2:

In this scenario, which is harder to exploit, we can write one byte to a
memory location.

ntdll:
-------
MOV BYTE PTR DS:[EDI+6], AL
-------


==[ Affected Version

The vulnerability has been identified in the latest available ICQ
version 6 (build 6043). It was tested on Windows XP SP2 and Windows
2003.


==[ Fix

The vendor has addressed this vulnerability on 1st of March 2008 with an
automatic update.


==[ PoC Exploit

PoC will not be released.


==[ Vendor status

26.02.2008 - Initial contact
26.02.2008 - Initial vendor response
28.02.2008 - Further clarification about the vulnerability
28.02.2008 - Vendor status update
01.03.2008 - Vendor released an automatic update.
14.03.2008 - Vendor status update
14.04.2008 - Coordinated public disclosure


==[ Credits

Vulnerability discovered by Leon Juranic <leon.juranic@infigo.hr>.
Special thanks to Marko Goricki, who pointed on the ICQ crash :-).


==[ INFIGO IS Security Contact

INFIGO IS,

WWW : http://www.infigo.hr/en/
E-mail : infocus@infigo.hr
Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    12 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    18 Files
  • 6
    Oct 6th
    16 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close