Re: Possible vulnerabilities of ICQ files opened in IE or OE

["N|ghtHawk" <nighthawk () hackers4hackers nl>]

Tested on
IE 4.0 (4.72.3110.4)
ICQ 2001b #3659

And it did crash my ICQ

But after it I installed the "icq web front Add-on" it didn't crashed
my icq anymore, but just opened the webfront part...

N|ghtHawk

-----Oorspronkelijk bericht-----
Van: silentsupporter () poczta onet pl <silentsupporter () poczta onet pl>
Aan: bugtraq () securityfocus com <bugtraq () securityfocus com>
Datum: dinsdag 16 april 2002 0:05
Onderwerp: Possible vulnerabilities of ICQ files opened in IE or OE




Hello everybody,

Sorry for my lingo, but I had to learn it in a huge pain.
However, if you don't like or cannot understand it, try
to learn polish instead [gotcha =o)]

Maybe it's an old topic, but maybe not.

While playing with ICQ i have found that the program
registers for its own use files with .uin extension. Of
course it's not a big deal, but what's really interesting,
is about to be described in a moment.

.uin files may be opened from any homepage and
Internet Explorer does not ask for confirmation while
opening them.
After I had found it out,  the next idea was to:
-check other file extensions in Registry that are
registered by ICQ
-test if the browser opens them in the same way as
above

ICQ registers the following extensions in Registry
- .pnq - ICQ Plugin
- .scm - ICQ Sound Scheme
- .uin - ICQ User
- .hpf - ICQ Home Page Factory

What I did was very trivial. I created some test files
and then I clicked them one by one in Windows
Explorer. The prize was waiting with a .hpf extension.
A simple file with few lines of text inside, when
clicked, it killed my ICQ at once.
So, the next step was to check if it works from the
Internet. It did, aussi.

I am too busy at the moment to play with a debugger
and look further for real exploits, but i bet it is
possible to find some, because according to the way
it worked while i've been testing, ICQ does not check
the content of the files before usage. I bet that some
vulnerable code should be really easy to create.

Conclusion:
The first impression is that it may be used to kill ICQ
only, but i bet that running specific code would be
possible too. If you remember that it may be opened
through Internet Explorer without notice, a lot of
possible scenarios come to mind at once - does
attachement for OE sound familiar =o)? It works.
Worms may use it easily.

To test what was described above:
- run ICQ
- go to my home page and open this link
http://sztolnia.pl/hack/icqkiller/icqkiller.hpf
it contains only few lines of text

Tested on
IE 6.0
ICQ 2002a #3722

Off-topic:
As this is my first post to bugtraq i want to introduce
myself in just a second. My name is Adam
Blaszczyk, I am the author of two books about
computer viruses and malware published in 1998
and 2001 and around 20 articles about security and
malware, published in leading computer magazines
in Poland. I love my wife Ka Kee and i wait
impatiently till she come to me from Hong Kong in
June, 2002. I mention here cuz ... I miss her like hell,
hope you don't mind guys =o)

Adam Blaszczyk
silentsupporter_poczta_onet_pl