COMMAND

    ICQ (and mIRC)

SYSTEMS AFFECTED

    Win 9x, NT with ICQ 98a (others?)

PROBLEM

    Justin Clift found a  flaw in ICQ.   It's a very simple  flaw.  At
    present only the Win32 ICQ 98a  1.30 version was tested.  Here  is
    how it works.

    When a person is sending a file to another user on ICQ, the person
    receiving the file has a window pop up which shows the filename, a
    description entered by the sender, and options of where to save or
    not save etc.  Justin found  there isn't a check on the  length of
    the  filename  being  sent.   The  pane  in the pop-up window will
    display as much of the filename as it can, and if the filename  is
    longer that  the pane,  the ending  remainder won't  be displayed.
    Therefore a simple attack is  possible, sending a file named  (for
    example):

        "leah2.jpg
        .exe"

    will display leah2.jpg  to the receiving  user whom will  only see
    "leah2.jpg"  in  the  pop-up  window  and  assume it is a harmless
    picture file for example, not  executable code.  This is  very bad
    considering ICQ  has the  option of  'OPEN'ing the  file once  the
    transfer is completed.   Many people do  this to have  the picture
    displayed to them (by the program associated with the  extension).
    In  the  case  of  this  exploit,  the executable code will be run
    instead of the program the victim is expecting.  A craftily  coded
    program would be able to do  both so as to avoid suspicion  on the
    part of the victim.

    You can also do this in the popular mIRC IRC Client, althou it has
    no "Open" option so there is  a less chance of the person  running
    it, however in explorer

        mypic..bmp
        .exe

    kinda looks like a bmp the .exe is hard to see on some view modes,
    and if you  opened the .exe  file up in  borland's resource editor
    (or any similar editor) and changed the exe files icon to that  of
    mspaint.exe a person (sometimes even an advanced user) will double
    click  anyway  without  seeing  the  far  off  .exe portion of the
    filename...   Also if  they look  in their  status window they may
    discover the  .exe, althou  if you  use a  special dos  program to
    write files to filenames that aren't normally allowed (with mIRC's
    CTRL-K color code) you could  make the .exe part invisible  in the
    status window...   using CTRL+K0 for  white text, and  most people
    use the default white text background on the status window.

SOLUTION

    Mirabilis was notifies and they have totally failed to respond.