COMMAND

    ICQ

SYSTEMS AFFECTED

    ICQ 200x* up to 2001a Alpha

PROBLEM

    Following is  based on  a Hexyn/Securax  Advisory #22.   ICQ is  a
    popular and  free chat  program, with  over 108,022,319  users all
    over the world.  When ICQ is installed, it adds a Content-Type  to
    Microsoft Internet Exploder,  the "application/x-icq" type.   When
    IE receives  "Content-Type: application/x-icq"  from a  web server
    and following content:

        [ICQ User]
        UIN=<uin>
        Email=
        NickName=
        FirstName=
        LastName=

    where  <uin>  is  an  ICQ  UIN.   IE will automaticly download the
    content and make ICQ add the uin to it's contact list.

    When a webmaster  creates a page  containing the exploit  code, he
    will automaticly be added to  the victims contact list.   This bug
    can  be  exploited  against  almost  any  program which uses IE to
    display web content.

    The impact can be more  serious than that.  Using  Javascript, one
    can easily  add hundreds  of random  users, then  the victim  will
    have a lot of trouble to know who was added and who was alredy  on
    his contact list, as they'll be mixed.

    Privacy-wise, that's an easy way for a site to know who the remote
    user is, because of the  message "you were added".   The webmaster
    would have,  in most  cases, the  complete name  and e-mail of the
    person who accessed the site, even  if the user is behind a  proxy
    or firewall.

    It's easy to (ab)use the  ICQ web server using search.dll,  having
    it send the correct response, using following HTML code:

        <HTML>
        <META HTTP-EQUIV="REFRESH" CONTENT="0;URL=http://wwp.icq.com/scripts/search.dll?to=<uin>">
        </HTML>

    The above HTML code will  add <uin> to the victims  contact  list.
    It works  on any  page, not  only ICQ's.   As a  proof-of-concept,
    using 1 line of perl, there is following exploit:

        http://www.molina.com.br/icq.html

    The bottom  line is  to get  the victim  to surf  to the script on
    ICQ's website:

        http://wwp.icq.com/scripts/search.dll?to=<uin>

    Where <uin>  is the  attackers UIN.   If the  HTML code  is in  or
    badly visible, download the text version at:

        http://t-Omicr0n.hexyn.be/Hexyn-sa-22.txt

    This bug was discovered by t-Omicr0n.

    This could also be exploited  through html using the refresh  meta
    tag...  When viewing the  originating email of this thread  in the
    eudora 5.0 preview window,  (while "Microsoft's viewer" [which  is
    really just IE] was enabled in the options) the META tag was  read
    and executed and  the preview window  was refreshed to  show "[ICQ
    User] UIN= Email= NickName= FirstName= LastName=".

    We suspect  this information  was displayed  rather then  executed
    due to the fact that we don't have ICQ installed on this  machine,
    and  therefore  no  mime  type  exists  for  such  content on this
    machine.  This could be (scarily) used by spammers to track  valid
    email addresses.  With a  simple program to interface with  ICQ or
    an ICQ dummy  client (that only  listens for "User  has added you"
    messages), the spammer would be  able to verify the email  address
    through the email  address listed in  the ICQ user's  profile, the
    spammer  now  also  has  the  user's  ICQ  number, giving them yet
    another medium to spam over.

SOLUTION

    At this time,  no patch from  ICQ is available  yet.  Using  Opera
    Internet Browser will fix the  problem, other browsers are yet  to
    be tested.

    One workaround is through the registry.  Just replace

        My Computer\HKEY_CLASSES_ROOT\icquser\shell\open\command

    for whatever you want.   If you leave it  blank, you'll receive  a
    warning,  and  will  know  someone  tried  to exploit it.  Using a
    custom program, you can log the UIN.