COMMAND
ICQ
SYSTEMS AFFECTED
Icq v99b 1.1.1.1
PROBLEM
Drew Copley found following. OS tested was Windows 2000 and ICQ
v99b 1.1.1.1. ICQ is a very popular chat client that is affected
by a exploitable buffer overflow when it parses an URL sent by
another user. What this means:
* one, arbitary assembly code can be run on the remote machine.
(Therefore, a shell could be spawned, a trojan executed, or
perhaps easiest of all the hard drive could be wiped.)
* two, this did not take very long to find, and generally, if
there is not bounds checking in one place, then there is not
going to be bounds checking in other places as well. While ICQ
is not likely to be run on a "hub of commerce" server... it is
run on millions of systems, and someone could use a script to
spam these millions of systems with such an URL... from there
a timed distributed network attack could be launched. (Timed
because of the dynamic IP's).
When sending a URL link through a message in ICQ, it is possible
to overflow the buffer and control the instruction execution.
http://www.yahoo.com/sites.asp?!!!!P!
The exclamation marks are where EBP is overwritten. The four
characters after that are where EIP is overwritten. This link
puts a jump esp into the EIP, bringing the flow of execution back
into the buffer to the place right at the end of the URL, after
the last NOP's after the EIP (tested on w2k final beta).
So, basically, you just tack the exploit code onto the end of the
URL above, and the machine will run it. It should be pretty easy
to jump the stack as well. Some characters are not allowed,
making this slightly more difficult. ",", opcode 2C is not
allowed, "]"'s are not allowed, and opcode "01" is not allowed.
Pretty much anything else is.
Explicit example would be as it follows. You click on someone in
your ICQ to send them a message, you cut and past the above code
into the message. When they receive and click on the link to
jump to the location the exploit code tacked onto the end would
be executed.
To tack the exploit assembly code on there, write it up, asssemble
it... get the opcodes, then use something like UltraEdit32 to
paste the binary characters onto the end of the URL. Such code
may be pieced together from freeware assembly scripts and etc.
However, some people believe that buffer overflow is in the
regular text messages, NOT the URL messages. ICQ usually parses
and highlights URL's typed into messages. When sending a really
long URL in a message with the same version of ICQ under Windows
98 the client will crash as soon as you click on the URL. It
will also die if you open up the message in the history and click
on the URL. The overflow doesn't happen just by viewing the
message - you have to click on the URL. If that's the case, you
might just be able to avoid the problem by not clicking on those
long urls.
One way to duplicate bad behaviour is to:
- Copy the original URL from the original notice (sites.yahoo etc)
to include the binary exclamation marks et. all.
- Downloaded complied assembly code for a little cube generator
and open in UE32.
- Paste in the URL etc.
- Copy all of it and paste it into the URL section of ICQ's send
a web address.
- Con your wife into opening the URL.
- Listen to her bitch at you for crashing her computer.
Doing this did not execute the binary code that was placed at the
end of the URL but did cause an unwanted, adverse reaction from
the OS Win 98 Release1. That resulted in a reboot.
Somehow you cant send normal messages with more than 450
characters or whatever but if you start with http://www... ICQ
doesnt seem to check it and messages with 2000 characters were no
problem.
SOLUTION
Fix: Don't accept communication with people you don't know. Test
your software yourself for bugs, especially under Windows where
incidents are not likely to quickly end up in CERT or similiar
places.
There is a much simpler fix available, go into the Preferences
window, select the Events tab, select the URL setting on the
"Select Event to Configure" combobox and then select "Auto
Decline." This appears to shut down the http event.