-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathnullsec-icq-02.txt
113 lines (66 loc) · 2.29 KB
/
nullsec-icq-02.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
===============================================================================
| |
____ _ __
___ __ __/ / /__ ___ ______ ______(_) /___ __
/ _ \/ // / / (_-</ -_) __/ // / __/ / __/ // /
/_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, /
/___/ team
PUBLIC SECURITY ADVISORY
| |
===============================================================================
TITLE
=====
ICQ -Remote Denial of Service Vulnerability (MUIMessage.dll)
AUTHOR
======
noptrix
DATE
====
07-28-2011
VENDOR
======
ICQ - http://www.icq.com/
AFFECTED PRODUCT
================
ICQ Client in version <= 7.5
AFFECTED PLATFORMS
==================
Windows XP, Vista, 7
VULNERABILITY CLASS
===================
Remote Denial of Service
DESCRIPTION
===========
ICQ suffers from a remote Denial of Service vulnerability due to a lack of input
validation, output sanitization, wrong filetype and filename handling over file
transfers.
PROOF OF CONCEPT
================
The following file and payload can be used to trigger the described
vulnerability (send to victim as file):
--- SNIP ---
sh3ll$ echo "0" > \<iframe src\=\"icq.com\"\ onload\=alert\('0x90'\)\>.rtf
--- SNIP ---
Now, an attacker only needs to send this file to the victim. It will crash the
ICQ client of the victim whenever the attacker cancels the filetransfer.
Afterwards whenever the victim is trying to send a message to the attacker, it
will crash after a few seconds...
So this could be a "Cross-Site Scripting leading to Denial of Service"? :)
For a PoC demonstration see:
[+] http://www.youtube.com/watch?v=7I1JNUWLeec
IMPACT
======
An attacker could trivially crash ICQ clients of remote users without victims
interaction.
THREAT LEVEL
============
Medium
STATUS
======
Fixed.
DISCLAIMER
==========
nullsecurity.net hereby emphasize, that the information which is published here are
for education purposes only. nullsecurity.net does not take any responsibility for
any abuse or misusage!
Copyright (c) 2011 - nullsecurity.net