lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 9 May 2006 14:23:59 +0400 From: 3APA3A <3APA3A@...URITY.NNOV.RU> To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk Subject: ICQ Client Cross-Application Scripting (XAS) QQLan QQlan@...dex.ru reported vulnerability in multiple versions of ICQ Inc.' ICQ instant messenger client in a way it interacts with Microsoft Internet Explorer. Author: QQlan <QQlan@...dex.ru> Title: ICQ Client Cross-Application Scripting (XAS) Vendor: ICQ Inc. Application: ICQ Versions: up to and including 5.04 build 2321 Vulnerability class: man-in-the-middle, against client Vulnerability type: cross application scripting (My Computer zone) Risk level: low (high, if unsecured shared network is used) Intro: ICQ is probably most popular instant messaging application by ICQ Inc. Description: Under some conditions, ICQ client is vulnerable to remote script injection into My Computer Security Zone of Internet Explorer component used to display advertisement banners. Detailed description: <quote src=http://www.security.nnov.ru/Jdocument327.html> Cross application scripting (XAS) is possible when an application executes data in a security context different from the original content (presumably one with less security restrictions). For example the data may be obtained from an un-trusted source (a remote web server) that is sent unfiltered into a trusted application such as when web content is downloaded from a remote server, and then re-displayed on the local host. Any application that downloads and then later displays and executes web content (such as JavaScript) may be vulnerable to XAS. </quote> ICQ Client has very annoying advertising function. Banners are displayed inside Internet Explorer COM object embedded into main window, ⌠Welcome Screen■ and every ⌠Message Session■ dialogs. Under some condition attacker can replace HTML content in this forms with malicious script which will be executed in My Computer security zone of Internet Explorer. Technical information will be published (three months maybe years later) after vendor provide a patch. Workaround: 1. Press Ctrl+Shift+Esc 2. In File/Run menu type cmd.exe 3. In cmd.exe console type echo 127.0.0.1 ar.atwola.com >> %SystemRoot%\system32\drivers\etc\hosts Disclosure timeline: 5/2005 Vulnerability discovered 4/2006 Last attempt to contact vendor 5/2006 Public disclosure -- /3APA3A http://www.security.nnov.ru/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists