Home page logo
/

bugtraq logo Bugtraq mailing list archives

CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ client
From: CORE Security Technologies Advisories <advisories () coresecurity com>
Date: Mon, 05 May 2003 16:44:47 -0300

                     Core Security Technologies Advisory
                         http://www.coresecurity.com

               Multiple Vulnerabilities in Mirabilis ICQ client


Date Published: 2003-05-05

Last Update: 2003-05-02

Advisory ID: CORE-2003-0303

Bugtraq IDs: 7461, 7462, 7463, 7464, 7465, 7466

CVE Names: CAN-2003-0235, CAN-2003-0236, CAN-2003-0237,
           CAN-2003-0238, CAN-2003-0239

Title: Multiple Vulnerabilities in Mirabilis ICQ Pro 2003a client

Class: Remote Code Execution;
       Denial of Service;
       Boundary Error Condition (Buffer Overflow);
       Design/implementation error.

Remotely Exploitable: Yes

Locally Exploitable: Yes

Advisory URL:
 http://www.coresecurity.com/common/showdoc.php?idx=315&idxseccion=10

Vendors contacted:
 - Mirabilis
 We sent notifications mails to the following addresses:
 security () icq com, secure () icq com, webmaster () icq com,
 support () icq com, several times during March and April (2003-03-11,
 2003-03-24, 2003-04-11) and never received an answer from Mirabilis.

Release Mode: USER RELEASE


*Vulnerability Description:*

 Mirabilis ICQ client is a popular program that enables users to
 communicate through instant messaging, chat, sending emails, SMS and
 wireless-pager messages, as well as transfering files and URLs.
 The ICQ client offers other client services, for more information
 about ICQ see: http://www.icq.com/products/whatisicq.html
        
 Six security vulnerabilities were found that could lead to various
 forms of exploitation ranging from denying users the ability to use
 ICQ services to execution of arbitrary commands on vulnerable systems.
 The following vulnerabilities were found:

 [BID 7461, CAN-2003-0235] POP3 Client Format String in UIDL Field:
 ICQ provides an integrated POP3 client vulnerable to a format string
 attack in the UIDL command server response string (the unique-id of a
 message). This vulnerability can be successfully exploited by an
 attacker able to impersonate the POP3 server.

 [BID 7462, CAN-2003-0236] "Subject" signed overflow in POP3 Client:
 ICQ provides an integrated POP3 client vulnerable to a 16bit sign
 overflow in the "Subject" field of e-mail headers. An attacker may be
 able to execute arbitrary commands by sending a malformed e-mail
 header to a vulnerable client.

 [BID 7463, CAN-2003-0236] "Date" signed overflow in POP3 Client:
 ICQ provides an integrated POP3 client vulnerable to a 16bit sign
 overflow in the "Date" field of e-mail headers. An attacker may be
 able to execute arbitrary commands by sending a malformed e-mail
 header to a vulnerable client.

 [BID 7464, CAN-2003-0237] ICQ Features on Demand spoofing attack:
 ICQ provides a semi-automated functionality for upgrading client
 services (i.e.: ICQ Phone, ICQ Web Search, etc) called "ICQ Features
 on Demand" vulnerable to a spoofing attack due to hard-coded
 information and lack of authentication signatures.
 By taking advantage of this vulnerability, an attacker will be able to
 install malicious software that could lead to execution of arbitrary
 commands as well as other important security breaches.

 [BID 7465, CAN-2003-0238] Message advertisements denial of service attack:
 ICQ displays advertisements inside a message window (called 'Message
 Session') by using a proprietary HTML parsing/rendering library
 vulnerable to malformed tags input.
 By impersonating the static ADS server, an attacker may send malformed
 HTML code to the ADS rendering window freezing the ICQ interface and
 using 100% CPU.

 [BID 7466, CAN-2003-0239] Input validation error in ICQ's GIF
 parsing/rendering library:
 ICQ implements its own image parsing/rendering library (found in
 'icqateimg32.dll') vulnerable to an input validation error, causing a
 denial of service. The problem is triggered while parsing GIF89a headers.


*Vulnerable Packages:*

 Mirabilis ICQ Pro 2003a and previous versions.


*Credits:*

 These vulnerabilities were found by Lucas Lavarello, Daniel Benmergui,
 Norberto Kueffner and Fernando Russ from Core Security Technologies
 during Bugweek 2003 (March 3-7, 2003).


*Technical Description*

 [BID 7461, CAN-2003-0235]
 POP3 Client Format String in UIDL Field

 ICQ's integrated POP3 client is a COM object found inside POP3.dll.
 The client is vulnerable to a format string attack in the UIDL command
 server response string (the unique-id of a message) :

 "The unique-id of a message is an arbitrary server-determined string,
 consisting of one to 70 characters in the range 0x21 to 0x7E, which
 uniquely identifies a message within a maildrop and which persists
 across sessions" as described in RFC 1939
 (found in http://www.ietf.org/rfc/rfc1939.txt).

 By the insertion of format strings as part of a UIDL response message,
 the POP3 client can be forced to execute arbitrary commands.


 [BID 7462, CAN-2003-0236]
 "Subject" signed overflow in POP3 Client

 ICQ's integrated POP3 client is a COM object found inside POP3.dll.
 The client is vulnerable to a sign overflow attack in the "Subject"
 field of e-mail headers.

 The length of the "Subject" field is stored in a 16 bit (short) signed
 integer, allowing an attacker to send a malicious e-mail along with a
 long "Subject" field of around 33k octets overflowing the sign of the
 variable and causing a negative value.

 This attack results in the client throwing a self unhandled exception,
 crashing the client.


 [BID 7463, CAN-2003-0236]
 "Date" signed overflow in POP3 Client

 ICQ's integrated POP3 client is a COM object found inside POP3.dll.
 The client is vulnerable to a sign overflow attack in the "Date" field
 of e-mail headers.

 The length of the "Date" field is stored in a 16 bit (short) signed
 integer, allowing an attacker to send a malicious e-mail along with a
 long "Date" field of around 32k octets overflowing the sign of the
 variable and causing a negative value.

 This attack results in the client throwing a handled exception,
 instantly closing the client.


 [BID 7464, CAN-2003-0237]
 ICQ Features on Demand spoofing attack

 The URL from where the requested 'Features on Demand' are downloaded
 is hard-coded inside a file called "Packages.ini" found inside the
 subdirectory "\DataFiles" in ICQ's default installation path. The
 value named "DataURL" which belongs to the section "[General]" holds a
 static address from where the client will download user requested
 packages.

 An attack is possible due to the lack of authentication methods
 applied to new downloaded packages. An attacker will be able to
 impersonate the 'package repository service' by spoofing the
 hard-coded address, being able to install malicious software that
 could lead to the execution of arbitrary commands as well as other
 important security breaches.


 [BID 7465, CAN-2003-0238]
 Message advertisements denial of service attack

 The URL from where the HTML ads are downloaded has the following format:
 "http://web.icq.com/client/ate/ad-handler/ad_468/0,,[RANDOM],00.htm";
 Being [RANDOM] a signed 16 bit random number. Note that the ","
 characters don't get  encoded in their respective US-ASCII escape
 encoding.

 The HTTP request follows certain rules:
 - It is an HTTP/1.0 request
 - The request has a "Refer:" to itself
 - The "User-Agent:" is "Mozilla/4.08 [en] (WinNT; U; Nav)"
 - The "Accept:" header must be  "*/*"

 The HTML parsing/rendering library is vulnerable to erroneous
 attributes specified in the <table> tag. By specifying a "width"
 attribute of value "-1", the library will use 100% CPU, freezing the
 ICQ interface.

 The attack is possible due to the lack of authentication methods
 applied to requests. An attacker will be able to impersonate the "ADS
 server" by spoofing the semi hard-coded address, being able to deny to
 users the usage of ICQ services.


 [BID 7466, CAN-2003-0239]
 Input validation error in ICQ's GIF parsing/rendering library

 While parsing GIF89a header files, ICQ's GIF parsing/rendering library
 expects either an existing GCT (Global Color Table) or an LCT (Local
 Color Table) after an "Image Descriptor". When none of these color
 tables exist, the library will malfunction leading to a denial of
 service.

 The GIF89a file format has a section called "Logical Screen Descriptor":
 (from GIF89a specification, which can be found at
 ftp://ftp.ncsa.uiuc.edu/misc/file.formats/graphics.formats/gif89a.doc)

      7 6 5 4 3 2 1 0        Field Name                         Type
     +---------------+
  0  |               |       Logical Screen Width               Unsigned
     +-             -+
  1  |               |
     +---------------+
  2  |               |       Logical Screen Height              Unsigned
     +-             -+
  3  |               |
     +---------------+
  4  | |     |  |    |       <Packed Fields>                    See below
     +---------------+
  5  |               |       Background Color Index             Byte
     +---------------+
  6  |               |       Pixel Aspect Ratio                 Byte
     +---------------+

     <Packed Fields>  =      Global Color Table Flag            1 Bit
                             Color Resolution                   3 Bits
                             Sort Flag                          1 Bit
                             Size of Global Color Table         3 Bits

 This section describes the screen size, the pixel aspect ratio, background
 color index, etc, and a set of fields (<Packed Fields>) which has the
 "Global Color Table Flag" bit indicating the presence of a Global
 Color Table; if the flag is set, the Global Color Table will
 immediately follow the "Logical Screen Descriptor", this flag also
 selects the interpretation of the "Background Color Index"; if the
 flag is set, the value of the "Background Color Index" field should be
 used as the table index of the background color.

 After the "Logical Screen Descriptor" or (if present) the "Global
 Color Table", there is an "Image Descriptor" per image compressed
 inside the GIF file with the following format:

      7 6 5 4 3 2 1 0        Field Name                    Type
     +---------------+
  0  |               |       Image Separator               Byte
     +---------------+
  1  |               |       Image Left Position           Unsigned
     +-             -+
  2  |               |
     +---------------+
  3  |               |       Image Top Position            Unsigned
     +-             -+
  4  |               |
     +---------------+
  5  |               |       Image Width                   Unsigned
     +-             -+
  6  |               |
     +---------------+
  7  |               |       Image Height                  Unsigned
     +-             -+
  8  |               |
     +---------------+
  9  | | | |   |     |       <Packed Fields>               See below
     +---------------+

     <Packed Fields>  =      Local Color Table Flag        1 Bit
                             Interlace Flag                1 Bit
                             Sort Flag                     1 Bit
                             Reserved                      2 Bits
                             Size of Local Color Table     3 Bits

 (From GIF89a specification)

 The set of fields (<Packed Fields>) found in an "Image Descriptor"
 include a "Local Color Table Flag" bit indicating the presence of a
 Local Color Table; if the flag is set, the Local Color Table will
 immediately follow the "Image Descriptor".


*About Core Security Technologies*

 Core Security Technologies develops strategic security solutions for
 Fortune 1000 corporations, government agencies and military
 organizations. The company offers information security software and
 services designed to assess risk and protect and manage information
 assets.
 Headquartered in Boston, MA, Core Security Technologies can be reached
 at 617-399-6980 or on the Web at http://www.coresecurity.com.
 To learn more about CORE IMPACT, the first comprehensive penetration
 testing framework, visit http://www.coresecurity.com/products/coreimpact


*DISCLAIMER*

 The contents of this advisory are copyright (c) 2003 CORE Security
 Technologies and may be distributed freely provided that no fee is
 charged for this distribution and proper credit is given.

$Id: ICQ-advisory.txt,v 1.5 2003/05/03 00:17:15 carlos Exp $


  By Date           By Thread  

Current thread:
  • CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ client CORE Security Technologies Advisories (May 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault