ICQ Buffer Overflow Exploit

[d_copley () YAHOO COM (drew copley)]

Buffer Overflow in ICQ

OS tested on: Windows 2000
ICQ version: 99b 1.1.1.1

ICQ is a very popular chat client that is affected by
a exploitable buffer
overflow when it parses an URL sent by another user.
What this means:

* one, arbitary assembly code can be run on the remote
machine.
(Therefore, a shell could be spawned, a trojan
executed, or perhaps
easiest of all the hard drive could be wiped.)

* two, this did not take very long to find, and
generally, if there is not
bounds checking in one place, then there is not going
to be bounds checking
in other places as well. While ICQ is not likely to be
run on a "hub of commerce"
server... it is run on millions of systems, and
someone could use a script to
spam these millions of systems with such an URL...
from there a timed distributed
network attack could be launched. (Timed because of
the dynamic IP's).

When sending a URL link through a message in ICQ, it
is possible to overflow
the buffer and control the instruction execution.

http://www.yahoo.com/sites.asp?\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\!!!!·P
!

The exclamation marks are where EBP is overwritten.

The four characters after that are where EIP is
overwritten. This link puts a jump esp into the EIP,
bringing the flow of execution back into the buffer to
the place right at the end of the URL, after the
last NOP's after the EIP.

Tested on w2k final beta.

So, basically, you just tack the exploit code onto the
end of the URL above, and the machine will run it.
It should be pretty easy to jump the stack as well.

Some characters are not allowed, making this slightly
more difficult. ",", opcode 2C is not allowed,
"]"'s are not allowed, and opcode "01" is not allowed.

Pretty much anything else is.

Explicit example:

You click on someone in your ICQ to send them a
message, you cut and past the above code
into the message. When they receive and click on the
link to jump to the location the
exploit code tacked onto the end would be executed.

To tack the exploit assembly code on there, write it
up,
asssemble it... get the opcodes, then use something
like
UltraEdit32 to paste the binary characters onto the
end of
the URL. Such code may be pieced together from
freeware
assembly scripts and etc.

Fix: Don't accept communication with people you don't
know.
Test your software yourself for bugs, especially under
Windows
where incidents are not likely to quickly end up in
CERT or
similiar places.

Drew

alternative email: osioniusx () XXXXmy-deja com

__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com