COMMAND

    ICQ

SYSTEMS AFFECTED

    Icq v99b 1.1.1.1

PROBLEM

    Drew Copley found following.   OS tested was Windows 2000  and ICQ
    v99b 1.1.1.1.  ICQ is a very popular chat client that is  affected
    by a  exploitable buffer  overflow when  it parses  an URL sent by
    another user.  What this means:

    * one, arbitary  assembly code can  be run on  the remote machine.
      (Therefore,  a  shell  could  be  spawned, a trojan executed, or
      perhaps easiest of all the hard drive could be wiped.)

    * two,  this did  not take  very long  to find,  and generally, if
      there is  not bounds  checking in  one place,  then there is not
      going to be bounds checking in other places as well.  While  ICQ
      is not likely to be run  on a "hub of commerce" server...  it is
      run on millions  of systems, and  someone could use  a script to
      spam these millions of systems  with such an URL...   from there
      a timed  distributed network  attack could  be launched.  (Timed
      because of the dynamic IP's).

    When sending a URL link through  a message in ICQ, it is  possible
    to overflow the buffer and control the instruction execution.

        http://www.yahoo.com/sites.asp?!!!!P!

    The exclamation  marks are  where EBP  is overwritten.   The  four
    characters after  that are  where EIP  is overwritten.   This link
    puts a jump esp into the EIP, bringing the flow of execution  back
    into the buffer to  the place right at  the end of the  URL, after
    the last NOP's after the EIP (tested on w2k final beta).

    So, basically, you just tack the exploit code onto the end of  the
    URL above, and the machine will run it.  It should be pretty  easy
    to  jump  the  stack  as  well.   Some characters are not allowed,
    making  this  slightly  more  difficult.  ",",  opcode  2C  is not
    allowed, "]"'s are  not allowed, and  opcode "01" is  not allowed.
    Pretty much anything else is.

    Explicit example would be as it follows.  You click on someone  in
    your ICQ to send them a  message, you cut and past the  above code
    into the  message.   When they  receive and  click on  the link to
    jump to the  location the exploit  code tacked onto  the end would
    be executed.

    To tack the exploit assembly code on there, write it up, asssemble
    it...  get  the  opcodes,  then  use something like UltraEdit32 to
    paste the binary characters  onto the end of  the URL.  Such  code
    may be pieced together from freeware assembly scripts and etc.

    However,  some  people  believe  that  buffer  overflow  is in the
    regular text messages, NOT the  URL messages.  ICQ usually  parses
    and highlights URL's typed into  messages.  When sending a  really
    long URL in a message with  the same version of ICQ under  Windows
    98 the  client will  crash as  soon as  you click  on the URL.  It
    will also die if you open up the message in the history and  click
    on  the  URL.   The  overflow  doesn't  happen just by viewing the
    message - you have to click on  the URL.  If that's the case,  you
    might just be able to avoid  the problem by not clicking on  those
    long urls.

    One way to duplicate bad behaviour is to:

    - Copy the original URL from the original notice (sites.yahoo etc)
      to include the binary exclamation marks et. all.
    - Downloaded complied  assembly code for  a little cube  generator
      and open in UE32.
    - Paste in the URL etc.
    - Copy all of it and paste  it into the URL section of ICQ's  send
      a web address.
    - Con your wife into opening the URL.
    - Listen to her bitch at you for crashing her computer.

    Doing this did not execute the binary code that was placed at  the
    end of the  URL but did  cause an unwanted,  adverse reaction from
    the OS Win 98 Release1.  That resulted in a reboot.

    Somehow  you  cant  send  normal  messages  with  more  than   450
    characters or  whatever but  if you  start with  http://www... ICQ
    doesnt seem to check it and messages with 2000 characters were  no
    problem.

SOLUTION

    Fix: Don't accept communication with people you don't know.   Test
    your software  yourself for  bugs, especially  under Windows where
    incidents are  not likely  to quickly  end up  in CERT or similiar
    places.

    There is  a much  simpler fix  available, go  into the Preferences
    window,  select  the  Events  tab,  select  the URL setting on the
    "Select  Event  to  Configure"  combobox  and  then  select  "Auto
    Decline."  This appears to shut down the http event.