Jelmer wrote: >>>Outline<< >>> >>> <SNIP> >It does infact allow you to run code of your choosing on a victims machine >by creating a specially crafted webpage and sound scheme file > > Your absolutely correct. I can confirm this on: ICQ: 2000b (The problem goes back 3 years!) OS: Windows 2000 Professional SP2 (With all hotfixes and windows updates) IE: 6.0.2600.0000 (again, with ALL latest fixes/patches and windows updates) So what we have here is a rather serious flaw, which affects all versions of ICQ from at least version 2000b onward...and I am told (yeah I know, hearsay) this is working on 2000a as well. Jelmer's workaround of changing the SCM extension in folder options does appear to do the job, although I recommend unmapping the extension alltogether... or turning off scripting entirely as this is VERY easy to exploit and extremely serious... -Stan Bubrouski > > >>>Explaination and example<< >>> >>> > >I have created an example exploit on > >http://www.xs4all.nl/~jkuperus/icq/icq.htm > >that starts a little flame program > >It works as followed > >the default action for icq soundscheme (scm) files is open it places the wav >files included with the scm file in a known location on the hard disk. > >flame.scm wil be downloaded and installed in C:\Program >Files\ICQ\Sounds\flame[1] >the scm file i use creates a auth.wav file . > >In reality however this is not a wav file but a mht (mail archive file) with >en embeded base64 encoded executable > >then i use one of the many available local code execution vulnerabilities >found in internet explorer recently to execute the embedded binary with this >url : > >mhtml:file:///C:/Program%20Files/ICQ/Sounds/flame/Auth.wav!file:///C:/fire.e >xe > >I dont think its necisary to use one of ie's exploit as you can also call >html files in the mht archive, But for some reason i wasn't able to get this >to work right away. > > > > >>>Workaround << >>> >>> > >For a short term solution > >open explorer (the file manager not the browser) >go to the file types tab in tools > folder options > >locate the scm extention and change the default behaviour to prompt before >download > >In the long term icq will have to use something like random foldernames for >soundschemes to prefent this from happening > > > > >
