SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Instant Messaging/IRC/Chat)  >   ICQ Vendors:   ICQ Inc.
ICQ Bug May Let Remote Users Inject and Execute Scripting Code
SecurityTracker Alert ID:  1016045
SecurityTracker URL:  http://securitytracker.com/id/1016045
CVE Reference:   CVE-2006-2303   (Links to External Site)
Updated:  Dec 5 2009
Original Entry Date:  May 9 2006
Impact:   Execution of arbitrary code via network, User access via network

Version(s): 5.04 build 2321 and prior versions
Description:   A vulnerability was reported in ICQ. A remote user can inject and execute arbitrary scripting code in the My Computer zone in certain cases.

The ICQ client advertising function displays banner advertisements within an Internet Explorer COM object in some of the window components. Under certain conditions, a remote user can cause arbitrary scripting code to be rendered within that object and executed by the target user's browser in the My Computer security zone.

QQLan reported this vulnerability.

Impact:   A remote user can cause arbitrary scripting code to be executed on the target user's system.
Solution:   No solution was available at the time of this entry.

The report indicates that, as a workaround, you can set 'ar.atwola.com' to the loopback address '127.0.0.1' in the hosts file.

Vendor URL:  www.icq.com/ (Links to External Site)
Cause:   Not specified
Underlying OS:   Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Tue, 9 May 2006 14:23:59 +0400
Subject:  [Full-disclosure] ICQ Client Cross-Application Scripting (XAS)



QQLan QQlan@yandex.ru reported vulnerability in multiple versions of ICQ
Inc.'  ICQ instant messenger client in a way it interacts with Microsoft
Internet Explorer.

Author:                 QQlan <QQlan@yandex.ru>
Title:                  ICQ Client Cross-Application Scripting (XAS)
Vendor:                 ICQ Inc.
Application:            ICQ
Versions:               up to and including 5.04 build 2321
Vulnerability class:    man-in-the-middle, against client
Vulnerability type:     cross application scripting (My Computer zone)
Risk level:             low (high, if unsecured shared network is used)

Intro:

ICQ is probably most popular instant messaging application by ICQ Inc.

Description:

Under some conditions, ICQ client is vulnerable to remote script injection into
My Computer Security Zone of Internet Explorer component used to display
advertisement banners.

Detailed description:

<quote src=http://www.security.nnov.ru/Jdocument327.html>
Cross  application  scripting  (XAS)  is  possible  when  an application
executes  data in a security context different from the original content
(presumably  one  with less security restrictions). For example the data
may  be obtained from an un-trusted source (a remote web server) that is
sent  unfiltered  into a trusted application such as when web content is
downloaded  from  a  remote  server,  and then re-displayed on the local
host.  Any  application  that  downloads  and  then  later  displays and
executes web content (such as JavaScript) may be vulnerable to XAS.
</quote>

ICQ Client has very annoying advertising function. Banners are displayed
inside  Internet Explorer COM object embedded into main window, “Welcome
Screen”  and  every  “Message  Session”  dialogs.  Under  some condition
attacker  can  replace  HTML content in this forms with malicious script
which  will  be  executed  in  My  Computer  security  zone  of Internet
Explorer.

Technical information will be published (three months maybe years later)
after vendor provide a patch.

Workaround:

1. Press Ctrl+Shift+Esc
2. In File/Run menu type cmd.exe
3. In cmd.exe console type
echo 127.0.0.1  ar.atwola.com  >> %SystemRoot%\system32\drivers\etc\hosts

Disclosure timeline:

5/2005 Vulnerability discovered
4/2006 Last attempt to contact vendor
5/2006 Public disclosure

-- 
/3APA3A
http://www.security.nnov.ru/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC