Last revised: --
Source: CERT/CC
A complete revision history can be found at the end of this file.
There is a remotely exploitable buffer overflow in ICQ. Attackers that
are able to exploit the vulnerability may be able to execute arbitrary
code with the privileges of the victim user. Full details are discussed in
VU#570167. An exploit
is known to exist, but we do not believe it has been distributed in the
wild. We have not seen active scanning for this vulnerability, nor have we
received any reports of this vulnerability being exploited. ICQ is a program for communicating with other users over the Internet.
ICQ is widely used (by over 122 million people according to ICQ Inc, an AOL Time Warner
owned subsidiary). A buffer overflow exists in the ICQ client for
Windows. The buffer overflow occurs during the processing of a Voice Video
& Games feature request message. This message is supposed to be a
request from another ICQ user inviting the victim to participate
interactively with a third-party application. In versions prior to 2001B,
the buffer overflow occurs in code within the ICQ client. In version 2001B
the code containing the buffer overflow was moved to an external plug-in.
Therefore, all versions prior to the latest build of 2001B are
vulnerable. Upon connection to an AOL ICQ server, vulnerable builds of
the 2001B client will be instructed by the server to disable the
vulnerable plug-in. Since versions of the ICQ client prior to 2001B do not
have an external plug-in to disable, they are vulnerable even after
connecting to the server. AOL Time Warner is recommending all users of
vulnerable versions of ICQ upgrade to 2001B Beta v5.18 Build #3659. This vulnerability has been assigned the identifier CAN-2002-0028 by
the Common Vulnerabilities and Exposures (CVE) group:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0028
A remote attacker can execute arbitrary code with the privileges of the
victim user. All users should upgrade to version 2001B Beta v5.18 Build #3659.
There is currently no patch available for the ICQ plug-in for 2001B
or versions of the ICQ client prior to 2001B. Version 2001B Beta v5.18 Build
#3659's installer will delete the vulnerable plug-in. In
addition, for users who log in to the server with versions of 2001B prior
to Beta v5.18 Build #3659, access to the vulnerable plug-in will be
disabled. Users with versions prior to 2001B must upgrade to mitigate this
vulnerability.
This appendix contains information provided by vendors for this
advisory. When vendors report new information to the CERT/CC, we
update this section and note the changes in our revision history. If
a particular vendor is not listed below, we have not received their
comments.Systems Affected
Overview
I. Description
During normal operation, ICQ clients can exchange messages with one
another through the ICQ servers or via a direct connection. The buffer
overflow specifically occurs during the processing of the Voice Video
& Games request via a Type, Length, Value (TLV) tuple with type 0x2711
from the ICQ server, or via a crafted direct connection request.
Some versions of the ICQ client open port 4000/UDP for client-server
communication. Other versions open port 5190/TCP for this communication.
As with the previously reported AIM
vulnerability, AOL has modified the ICQ server infrastructure
to filter malicious messages that attempt to exploit this vulnerability,
preventing it from being exploited through an AOL ICQ server. Exploiting
the vulnerability through other means (man-in-the-middle attacks,
third-party ICQ servers, DNS spoofing, network sniffing, etc.) may still
be possible. Also, since UDP packets can be broadcast on a network, a
malicious TLV packet with a spoofed source IP address may be accepted as a
legitimate server message.
The ICQ client also listens on a variably assigned TCP port for
direct connection requests. A person who wishes to establish a direct
connection can query an ICQ server for the IP address and listening port
of the victim. Versions 2000A and prior accept direct connections from
anyone by default. Later versions of ICQ can be configured to accept
direct connections from anyone. Since ICQ requests can be sent directly
from one client to another, blocking requests through a central server is
not a completely effective solution. The effective solution is to
apply a patch, when available, that fixes the buffer overflow, or upgrade
to 2001B Beta v5.18 Build #3659 with the Voice Video & Games feature
disabled.
II. Impact
III. Solution
Block ICQ/SMS requests at the firewall
Blocking connections to login.icq.com and access to ports 4000/UDP,
5190/TCP and the TCP port that your client chooses to listen on may
prevent exploitation of this vulnerability. Note that the client may
establish a new listening port each time it is run. Note also that this
does not protect you from attacks within the perimeter of your
firewall.
Block untrusted messages
ICQ permits the user to deny direct connections from anyone without
authorization or accept direct connections from known peers only. We
recommend denying direct connections from anyone without authorization. By
accepting direct connections from known peers, you may still be vulnerable
to attacks that originate from known peers if the peer has been
compromised. Appendix A. - Vendor Information
AOL Time Warner
See http://web.icq.com/help/quickhelp/1,,117,00.html
The CERT Coordination Center thanks Daniel Tan and AOL Time Warner for their assistance in discovering and analyzing this vulnerability.
Author: Jason A. Rafail
- http://www.kb.cert.org/vuls/id/570167
- http://www.securityfocus.com/bid/3813
- http://web.icq.com/help/quickhelp/1,,117,00.html
Copyright 2002 Carnegie Mellon University.
Revision History
January 24, 2002: Initial release