De: "AreS" <ares@security-downloads.com>
À: <BUGTRAQ@SECURITYFOCUS.COM>
Objet: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users
Date : jeudi 23 août 2001 00:30

Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users

Topic: ICQ Forced Auto-Add Users
Announced: 2001-08-17
Affects: ICQ 200x* up to 2001a Alpha

DISCLAIMER:
***********
THE ENTIRE ADVISORY HAS BEEN  BASED  UPON   TRIAL  AND  ERROR  RESULTS.
THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS  100%  CORRECT.
THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT  PRIOR  NOTICE.

I. Problem Description
**********************
ICQ is a popular and free chat program, with over 108,022,319 users all
over the world.  When ICQ is  installed,  it  adds  a  Content-Type  to
Microsoft Internet Exploder, the "application/x-icq" type.
When IE receives  "Content-Type: application/x-icq" from  a web  server
and following content:

[ICQ User]
UIN=<uin>
Email=
NickName=
FirstName=
LastName=

*where <uin> is an ICQ UIN

IE will automaticly download the content and make ICQ add  the  uin  to
it's contact list.


II. Impact
**********
When a webmaster creates a page containing the  exploit  code,  he will
automaticly be added to the victims contact list.
This bug can be exploited against almost any program which uses IE to
display web content.

III. Exploit
*************
It's easy to (ab)use the ICQ web server  using  search.dll,  having  it
send the correct response, using following HTML code:

<HTML>
<META HTTP-EQUIV="REFRESH" CONTENT="0;URL=http://wwp.icq.com/scripts/search.dll?to=<uin>">
</HTML>

The above HTML code will add <uin>* to the victims contact list.

The bottom line is to get the victim to surf to the script on ICQ's 
website: http://wwp.icq.com/scripts/search.dll?to=<uin>*
*Where <uin> is the attackers UIN.

If the HTML code is in- or badly visible, download the text version at:
http://t-Omicr0n.hexyn.be/Hexyn-sa-22.txt

IV. Solution
*************
At this time, no patch from ICQ is available yet.
Using  Opera Internet Browser will fix the problem,  other browsers are
yet to be tested.


V. Credits
***********
Bug discovered by t-Omicr0n <tvb71@hotmail.com>

Greets to: f0bic, Incubus, R00T-dude, cicer0,  vorlon,  sentinel,  oPr,
Reggie, F_F, Shaolin_p, Segfau|t,  NecrOmaN,  Zym0t1c,  l0r3,  Preat0r,
T0SH, zeroX, AreS, tips, Lacrima, GigaByte,...
...and everyone at #securax@irc.hexyn.be

-- t-Omicr0n @ http://t-Omicr0n.hexyn.be

 