home *** CD-ROM | disk | FTP | other *** search
- Date: Sat, 2 Jan 1999 06:15:04 -0500
- From: Locke Nash Cole <loki@LNETI.COM>
- To: BUGTRAQ@netspace.org
- Subject: Re: Win32 ICQ 98a flaw
-
-
- You can also do this in the popular mIRC IRC Client, althou it has no "Open"
- option so there is a less chance of the person running it, however in
- explorer
-
- "mypic..bmp
- .exe"
- Kinda looks like a bmp the .exe is hard to see on some view modes, and if
- you opened the .exe file up in borland's resource editor (or any similar
- editor) and changed the exe files icon to that of mspaint.exe a person
- (sometimes even an advanced user) will double click anyway without seeing
- the far off .exe portion of the filename..
-
- Also if they look in their status window they may discover the .exe, althou
- if you use a special dos program to write files to filenames that aren't
- normally allowed (with mIRC's CTRL-K color code) you could make the .exe
- part invisible in the status window...
- using CTRL+K0 for white text, and most people use the default white text
- background on the status window.
-
-
- I'm sure Eudora/Outlook Express could easily fool a user also into doing the
- same thing..
-
- ----- Original Message -----
- >From: Justin Clift <vapour@DIGITALDISTRIBUTION.COM>
- To: <BUGTRAQ@NETSPACE.ORG>
- Sent: Thursday, December 31, 1998 10:20 PM
- Subject: Win32 ICQ 98a flaw
-
-
- >Hello everyone,
- >
- >A while ago I found a flaw in ICQ which I believe to be fairly serious and
- >asked whom to notify. Thanks for everyone's assistance in this. :-)
- >
- >I notified Mirabilis and they have totally failed to respond (I've waited
- >about 2 weeks), so I'll now submit it here.
- >
- >It's a very simple flaw. At present I've only tested on the Win32 ICQ 98a
- >1.30 version, and have not tested on ICQ99 nor on other platforms.
- >
- >Here is how it works : When a person is sending a file to another user on
- >ICQ, the person receiving the file has a window pop up which shows the
- >filename, a description entered by the sender, and options of where to save
- >or not save etc.
- >
- >I've found there isn't a check on the length of the filename being sent.
- >The pane in the pop-up window will display as much of the filename as it
- >can, and if the filename is longer that the pane, the ending remainder
- won't
- >be displayed.
- >
- >Therefore a simple attack is possible, sending a file named (for example) :
- >
- >"leah2.jpg
- >.exe"
- >
- >will display leah2.jpg to the receiving user whom will only see "leah2.jpg"
- >in the pop-up window and assume it is a harmless picture file for example,
- >not executable code.
- >
- >This is very bad considering ICQ has the option of 'OPEN'ing the file once
- >the transfer is completed. Many people do this to have the picture
- >displayed to them (by the program associated with the extension). In the
- >case of this exploit, the executable code will be run instead of the
- program
- >the victim is expecting. A craftily coded program would be able to do both
- >so as to avoid suspicion on the part of the victim.
- >
- >One thing I have noted in testing is that on one person's system running
- >Win95 this did not work. His computer renamed the file to .zip on
- receiving
- >which stopped the file executing. I don't know why and as far as I have
- >been able to find out (I haven't had physical access to his PC) this is due
- >to his personal configuration and is not the norm.
- >
- >One additional thing should considered also, and I don't yet have the time
- >and ability to do so; is a buffer overflow exploit present here or in other
- >versions which allows remote automatic code execution? This depends on the
- >program and the protocol, of course. It could be *very* bad.
- >
- >Regards and best wishes,
- >
- >+ Justin Clift
- >Digital Distribution
- >www.digitaldistribution.com
-
-
