Mirabiliz ICQ 2002/2003/ LITE 4.0/4.1 LONG (DIRECTORY + FILENAME) EXPLOIT

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Mirabiliz ICQ 2002/2003/ LITE 4.0/4.1 LONG (DIRECTORY + FILENAME) EXPLOIT
From: edubp2002@xxxxxxxxxxx
Date: 15 Feb 2006 14:31:02 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Mirabiliz ICQ 2002/2003/ LITE 4.0/4.1 LONG (DIRECTORY + FILENAME) EXPLOIT

Found this 'bug' about 1 year n a half ago.

If u drag and drop a folder containing 1 or more file from your computer into 
the nick of someone in your contact
list it is possible to send a full directory... The possibility to send a full 
directory alredy poses a security risk in my opinion! (Notice that if u click 
the nick then click on "send file" it is
only possible to send files, not directories, but dragging and dropping a 
folder with files into a nick in your 
contact list it is really possible. your "friend" will receive it and will be 
able to see only this:

Incoming files: 1 dir, X files    
(where x is the number of files contained in the folder)


let´s say the folder name is Dir12 and the first filename is ABCD.EXE and u 
dont want your friend to view the
.EXE extension
(notice: your friend will see this file being received as DIR12\ABCD.EXE)
 ICQ seems to leave the final file extension hidden if you use capital letters 
(caps lock)  and if the directory name, the ''\'' separating the dir name from 
the file name and the name of the file without the final extension is 30-31 
chars long
 
example:

 DIR12\PHOTOS OF ME AND MY AUNT.EXE 

Your friend will only see this:

DIR12\PHOTOS OF ME AND MY AUNT

you could also reduce the filename and insert another file extension at the end 
of the file, for example a .JPG extension

If you change an executable file properties such as company name, icon and 
description you can fool even more paranoid users since they will see 'company 
name'= JPEG Image and 'description' = 240x230 (dimensions) and put the JPEG 
default icon. as the file is inside a folder, it will not show its final 
extension, since by default windows doesn´t show extensions for known file 
types.

It seems to even bypass the Windows XP SP2 file execution warning message

impact: Spoof 

Solution:  upgrade to the latest ICQ Lite version. ICQ PRO was discontinued and 
it is vulnerable to this issue. notice that enabling windows explorer to show 
files extensions will not completely solve this issue since some files will 
continue to keep the extension hidden such as lnk and shs.

ps: I tested it on ICQ 2003a, 2003b , Lite 4.0 and Lite 4.1 on a Windows XP 
machine, but I guess previous ICQ versions are also vulnerable on any other 
windows version.

Prev by Date: [USN-250-1] Linux kernel vulnerability
Next by Date: [USN-248-2] unzip regression fix
Previous by thread: [USN-250-1] Linux kernel vulnerability
Next by thread: [USN-248-2] unzip regression fix
Index(es):
- Date
- Thread