100410 2003-05-05 23:03 /310 rader/ CORE Security Technologies Advisories <advisories@coresecurity.com>
Importerad: 2003-05-05 23:03 av Brevbäraren
Extern mottagare: Bugtraq <bugtraq@securityfocus.com>
Extern mottagare: Vulnwatch <vulnwatch@vulnwatch.org>
Mottagare: Bugtraq (import) <4785>
Ärende: CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ client
------------------------------------------------------------
Core Security Technologies Advisory
http://www.coresecurity.com
Multiple Vulnerabilities in Mirabilis ICQ client
Date Published: 2003-05-05
Last Update: 2003-05-02
Advisory ID: CORE-2003-0303
Bugtraq IDs: 7461, 7462, 7463, 7464, 7465, 7466
CVE Names: CAN-2003-0235, CAN-2003-0236, CAN-2003-0237,
CAN-2003-0238, CAN-2003-0239
Title: Multiple Vulnerabilities in Mirabilis ICQ Pro 2003a client
Class: Remote Code Execution;
Denial of Service;
Boundary Error Condition (Buffer Overflow);
Design/implementation error.
Remotely Exploitable: Yes
Locally Exploitable: Yes
Advisory URL:
http://www.coresecurity.com/common/showdoc.php?idx=315&idxseccion=10
Vendors contacted:
- Mirabilis
We sent notifications mails to the following addresses:
security@icq.com, secure@icq.com, webmaster@icq.com,
support@icq.com, several times during March and April (2003-03-11,
2003-03-24, 2003-04-11) and never received an answer from Mirabilis.
Release Mode: USER RELEASE
*Vulnerability Description:*
Mirabilis ICQ client is a popular program that enables users to
communicate through instant messaging, chat, sending emails, SMS and
wireless-pager messages, as well as transfering files and URLs.
The ICQ client offers other client services, for more information
about ICQ see: http://www.icq.com/products/whatisicq.html
Six security vulnerabilities were found that could lead to various
forms of exploitation ranging from denying users the ability to use
ICQ services to execution of arbitrary commands on vulnerable
systems. The following vulnerabilities were found:
[BID 7461, CAN-2003-0235] POP3 Client Format String in UIDL Field:
ICQ provides an integrated POP3 client vulnerable to a format
string attack in the UIDL command server response string (the
unique-id of a message). This vulnerability can be successfully
exploited by an attacker able to impersonate the POP3 server.
[BID 7462, CAN-2003-0236] "Subject" signed overflow in POP3 Client:
ICQ provides an integrated POP3 client vulnerable to a 16bit sign
overflow in the "Subject" field of e-mail headers. An attacker may
be able to execute arbitrary commands by sending a malformed e-mail
header to a vulnerable client.
[BID 7463, CAN-2003-0236] "Date" signed overflow in POP3 Client:
ICQ provides an integrated POP3 client vulnerable to a 16bit sign
overflow in the "Date" field of e-mail headers. An attacker may be
able to execute arbitrary commands by sending a malformed e-mail
header to a vulnerable client.
[BID 7464, CAN-2003-0237] ICQ Features on Demand spoofing attack:
ICQ provides a semi-automated functionality for upgrading client
services (i.e.: ICQ Phone, ICQ Web Search, etc) called "ICQ
Features on Demand" vulnerable to a spoofing attack due to
hard-coded information and lack of authentication signatures. By
taking advantage of this vulnerability, an attacker will be able to
install malicious software that could lead to execution of
arbitrary commands as well as other important security breaches.
[BID 7465, CAN-2003-0238] Message advertisements denial of service
attack: ICQ displays advertisements inside a message window (called
'Message Session') by using a proprietary HTML parsing/rendering
library vulnerable to malformed tags input. By impersonating the
static ADS server, an attacker may send malformed HTML code to the
ADS rendering window freezing the ICQ interface and using 100% CPU.
[BID 7466, CAN-2003-0239] Input validation error in ICQ's GIF
parsing/rendering library: ICQ implements its own image
parsing/rendering library (found in 'icqateimg32.dll') vulnerable
to an input validation error, causing a denial of service. The
problem is triggered while parsing GIF89a headers.
*Vulnerable Packages:*
Mirabilis ICQ Pro 2003a and previous versions.
*Credits:*
These vulnerabilities were found by Lucas Lavarello, Daniel
Benmergui, Norberto Kueffner and Fernando Russ from Core Security
Technologies during Bugweek 2003 (March 3-7, 2003).
*Technical Description*
[BID 7461, CAN-2003-0235]
POP3 Client Format String in UIDL Field
ICQ's integrated POP3 client is a COM object found inside POP3.dll.
The client is vulnerable to a format string attack in the UIDL
command server response string (the unique-id of a message) :
"The unique-id of a message is an arbitrary server-determined
string, consisting of one to 70 characters in the range 0x21 to
0x7E, which uniquely identifies a message within a maildrop and
which persists across sessions" as described in RFC 1939 (found in
http://www.ietf.org/rfc/rfc1939.txt).
By the insertion of format strings as part of a UIDL response
message, the POP3 client can be forced to execute arbitrary
commands.
[BID 7462, CAN-2003-0236]
"Subject" signed overflow in POP3 Client
ICQ's integrated POP3 client is a COM object found inside POP3.dll.
The client is vulnerable to a sign overflow attack in the "Subject"
field of e-mail headers.
The length of the "Subject" field is stored in a 16 bit (short)
signed integer, allowing an attacker to send a malicious e-mail
along with a long "Subject" field of around 33k octets overflowing
the sign of the variable and causing a negative value.
This attack results in the client throwing a self unhandled
exception, crashing the client.
[BID 7463, CAN-2003-0236]
"Date" signed overflow in POP3 Client
ICQ's integrated POP3 client is a COM object found inside POP3.dll.
The client is vulnerable to a sign overflow attack in the "Date"
field of e-mail headers.
The length of the "Date" field is stored in a 16 bit (short) signed
integer, allowing an attacker to send a malicious e-mail along with
a long "Date" field of around 32k octets overflowing the sign of
the variable and causing a negative value.
This attack results in the client throwing a handled exception,
instantly closing the client.
[BID 7464, CAN-2003-0237]
ICQ Features on Demand spoofing attack
The URL from where the requested 'Features on Demand' are
downloaded is hard-coded inside a file called "Packages.ini" found
inside the subdirectory "\DataFiles" in ICQ's default installation
path. The value named "DataURL" which belongs to the section
"[General]" holds a static address from where the client will
download user requested packages.
An attack is possible due to the lack of authentication methods
applied to new downloaded packages. An attacker will be able to
impersonate the 'package repository service' by spoofing the
hard-coded address, being able to install malicious software that
could lead to the execution of arbitrary commands as well as other
important security breaches.
[BID 7465, CAN-2003-0238]
Message advertisements denial of service attack
The URL from where the HTML ads are downloaded has the following
format:
"http://web.icq.com/client/ate/ad-handler/ad_468/0,,[RANDOM],00.htm"
Being [RANDOM] a signed 16 bit random number. Note that the ","
characters don't get encoded in their respective US-ASCII escape
encoding.
The HTTP request follows certain rules:
- It is an HTTP/1.0 request
- The request has a "Refer:" to itself
- The "User-Agent:" is "Mozilla/4.08 [en] (WinNT; U; Nav)"
- The "Accept:" header must be "*/*"
The HTML parsing/rendering library is vulnerable to erroneous
attributes specified in the <table> tag. By specifying a "width"
attribute of value "-1", the library will use 100% CPU, freezing the
ICQ interface.
The attack is possible due to the lack of authentication methods
applied to requests. An attacker will be able to impersonate the
"ADS server" by spoofing the semi hard-coded address, being able to
deny to users the usage of ICQ services.
[BID 7466, CAN-2003-0239]
Input validation error in ICQ's GIF parsing/rendering library
While parsing GIF89a header files, ICQ's GIF parsing/rendering
library expects either an existing GCT (Global Color Table) or an
LCT (Local Color Table) after an "Image Descriptor". When none of
these color tables exist, the library will malfunction leading to a
denial of service.
The GIF89a file format has a section called "Logical Screen
Descriptor": (from GIF89a specification, which can be found at
ftp://ftp.ncsa.uiuc.edu/misc/file.formats/graphics.formats/gif89a.doc)
7 6 5 4 3 2 1 0 Field Name Type
+---------------+
0 | | Logical Screen Width Unsigned
+- -+
1 | |
+---------------+
2 | | Logical Screen Height Unsigned
+- -+
3 | |
+---------------+
4 | | | | | <Packed Fields> See below
+---------------+
5 | | Background Color Index Byte
+---------------+
6 | | Pixel Aspect Ratio Byte
+---------------+
<Packed Fields> = Global Color Table Flag 1 Bit
Color Resolution 3 Bits
Sort Flag 1 Bit
Size of Global Color Table 3 Bits
This section describes the screen size, the pixel aspect ratio,
background color index, etc, and a set of fields (<Packed Fields>)
which has the "Global Color Table Flag" bit indicating the presence
of a Global Color Table; if the flag is set, the Global Color Table
will immediately follow the "Logical Screen Descriptor", this flag
also selects the interpretation of the "Background Color Index"; if
the flag is set, the value of the "Background Color Index" field
should be used as the table index of the background color.
After the "Logical Screen Descriptor" or (if present) the "Global
Color Table", there is an "Image Descriptor" per image compressed
inside the GIF file with the following format:
7 6 5 4 3 2 1 0 Field Name Type
+---------------+
0 | | Image Separator Byte
+---------------+
1 | | Image Left Position Unsigned
+- -+
2 | |
+---------------+
3 | | Image Top Position Unsigned
+- -+
4 | |
+---------------+
5 | | Image Width Unsigned
+- -+
6 | |
+---------------+
7 | | Image Height Unsigned
+- -+
8 | |
+---------------+
9 | | | | | | <Packed Fields> See below
+---------------+
<Packed Fields> = Local Color Table Flag 1 Bit
Interlace Flag 1 Bit
Sort Flag 1 Bit
Reserved 2 Bits
Size of Local Color Table 3 Bits
(From GIF89a specification)
The set of fields (<Packed Fields>) found in an "Image Descriptor"
include a "Local Color Table Flag" bit indicating the presence of a
Local Color Table; if the flag is set, the Local Color Table will
immediately follow the "Image Descriptor".
*About Core Security Technologies*
Core Security Technologies develops strategic security solutions
for Fortune 1000 corporations, government agencies and military
organizations. The company offers information security software and
services designed to assess risk and protect and manage information
assets. Headquartered in Boston, MA, Core Security Technologies
can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com. To learn more about CORE IMPACT, the
first comprehensive penetration testing framework, visit
http://www.coresecurity.com/products/coreimpact
*DISCLAIMER*
The contents of this advisory are copyright (c) 2003 CORE Security
Technologies and may be distributed freely provided that no fee is
charged for this distribution and proper credit is given.
$Id: ICQ-advisory.txt,v 1.5 2003/05/03 00:17:15 carlos Exp $
(100410) /CORE Security Technologies Advisories <advisories@coresecurity.com>/(Ombruten)