ICQ remote buffer overflow vulnerability

[Daniel Tan <datan () seas upenn edu>]

(I posted this to the bugtraq mailing list yesterday, but for some
reason, it didn't get through)

This is very similar to the AIM overflow recently discovered.
ICQ protocol uses the same TLV (2711) packet and there is a similar 
weakness in the parsing of the packet.

The details of this vulnerability will not be released until a 
further time (when a patch has been implemented, probably). ICQ2000 
clients are vulnerable. ICQ2001 clients do not appear to be 
vulnerable under default setup conditions. (AOL was notified of 
this vulnerabilty yesterday. So far, I've received two automated emails).

Execution of arbitary code is possible since EAX/EBX point to within
the payload. 

Other than through the server, the same payload can be sent through 
Direct Connection with the receiver, even with the DC settings set to 
maximum (ie. allow only users on my contact list, allow DC 
upon authorisation, do not allow older version of clients to DC).
If the sender is 'trusted' (ie. on the users' contact list), the
sender can establish a TCP connection with the users' listening
port even if DC settings are on maximum (in which case the 
receiver's IP & port are not given to the sender, but one can
find this out in other ways eg. email header + port scan).

Whereas having the payload sent through the server allows a 
possible remedy in having the server check for malformed packets, 
being able to send the packet directly to the client takes away
that possibility. Until AOL announces a patch/workaround, it is 
highly recommended to restrict receiving of events (other than 
normal messages) to contacts you know.



-------------
Daniel Tan
Class of 2004
Jerome Fisher Management & Technology Program
University of Pennsylvania, USA
datan () seas upenn edu
datan () wharton upenn edu
-------------