May 27th, 2003, 09:02 PM
Vulnerabilities in Mirabilis ICQ Pro 2003a client
Boston-based CoreSecurity discovered 6 vulnerabilities in Mirabilis ICQ Pro 2003. Three of them are related to the pop3-client:
Mirabilis ICQ client is a popular program that enables users to communicate through instant messaging, chat, sending emails, SMS and wireless-pager messages, as well as transfering files and URLs.
The ICQ client offers other client services, for more information about ICQ see: http://www.icq.com/products/whatisicq.html
Six security vulnerabilities were found that could lead to various forms of exploitation ranging from denying users the ability to use ICQ services to execution of arbitrary commands on vulnerable systems.
The following vulnerabilities were found:
[BID 7461, CAN-2003-0235, VU#936164] POP3 Client Format String in UIDL Field:
ICQ provides an integrated POP3 client vulnerable to a format string attack in the UIDL command server response string (the unique-id of a message). This vulnerability can be successfully exploited by an attacker able to impersonate the POP3 server.
[BID 7462, CAN-2003-0236, VU#792988] "Subject" signed overflow in POP3 Client:
ICQ provides an integrated POP3 client vulnerable to a 16bit sign overflow in the "Subject" field of e-mail headers. An attacker may be able to execute arbitrary commands by sending a malformed e-mail header to a vulnerable client.
[BID 7463, CAN-2003-0236, VU#829860] "Date" signed overflow in POP3 Client:
ICQ provides an integrated POP3 client vulnerable to a 16bit sign overflow in the "Date" field of e-mail headers. An attacker may be able to execute arbitrary commands by sending a malformed e-mail header to a vulnerable client.
[BID 7464, CAN-2003-0237, VU#367156] ICQ Features on Demand spoofing attack:
ICQ provides a semi-automated functionality for upgrading client services (i.e.: ICQ Phone, ICQ Web Search, etc) called "ICQ Features on Demand" vulnerable to a spoofing attack due to hard-coded information and lack of authentication signatures.
By taking advantage of this vulnerability, an attacker will be able to install malicious software that could lead to execution of arbitrary commands as well as other important security breaches.
[BID 7465, CAN-2003-0238, VU#967316] Message advertisements denial of service attack:
ICQ displays advertisements inside a message window (called 'Message Session') by using a proprietary HTML parsing/rendering library vulnerable to malformed tags input.
By impersonating the static ADS server, an attacker may send malformed HTML code to the ADS rendering window freezing the ICQ interface and using 100% CPU.
[BID 7466, CAN-2003-0239, VU#680788] Input validation error in ICQ's GIF parsing/rendering library:
ICQ implements its own image parsing/rendering library (found in 'icqateimg32.dll') vulnerable to an input validation error, causing a denial of service. The problem is triggered while parsing GIF89a headers.