CORE-2006-0322: Multiple vulnerabilities in ICQ Toolbar 1.3 for Internet Explorer
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Multiple vulnerabilities in ICQ Toolbar 1.3 for Internet Explorer
Date Published: 2006-09-07
Last Update: 2006-09-06
Advisory ID: CORE-2006-0322
Bugtraq ID: None currently assigned
CVE Name: None currently assigned
Title: Multiples vulnerabilities in ICQ Toolbar 1.3 for Internet Explorer
Class: Access Validation Error/Design Error, Input validation error
Remotely Exploitable: Yes
Locally Exploitable: Yes
Advisory URL:
http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=1510
*Vendors contacted:*
America Online Inc.
. 2006-07-27: Initial notification sent to vendor, advisory release
date set for Aug. 14th.
. 2006-07-27: Vendor response acknowledging notification.
. 2006-08-11: Request for an update sent to vendor asking for an
estimated date for fix availability.
. 2006-08-14: Request for an update sent to vendor asking for an
estimated date for fix availability, advisory release date now set for
Aug. 22nd.
. 2006-08-15: Vendor response received. Still determining when a fix
will be available. A new update from the vendor forthcoming before
Aug. 22nd.
. 2006-08-16: Vendor email received requesting further technical details
or proof-of-concept code.
. 2006-08-17: Core response vendor: proof-of-concept for the ICQ client
bug can not be made available as standalone program without incurring
in a substantial development effort.
. 2006-08-21: Vendor email describing coordination issues with ICQ
development team. No fix schedule provided
. 2006-08-21: In liue of proof-of-concept, Core provides succinct
technical explanation of the problem in the ICQ 2003b client.
. 2006-08-29: Updated advisory sent to vendor requesting comments and
fix availability information. Advisory release date now set for
Aug. 31st.
. 2006-08-30: Vendor response received stating that 30 days is
insufficient to fix bugs and reiterating the previously noted
coordination and communications problems with engineering team at
remote facilities. No tentative fix schedule made available, earliest
date for an official vendor statement about fixes is Sept. 1st
. 2006-08-30: Core response to vendor, publication of advisories will be
delayed until Sept. 6th in order to receive offical statement from
vendor. Baring a precise schedule that demonstrates an imminent
release of fixes the publication date is final.
. 2006-08-30: Vendor provides an official statement.
. 2006-09-07: Advisory published.
Release Mode: USER RELEASE
*Vulnerability Description:*
Security problems found in the ICQ Toolbar v1.3 may allow attackers to
control and change configuration settings and to inject scripting code
in RSS feed contents and execute it in the contetxt of the feed
interface (IE's Local Zone)
ICQ Toolbar 1.3 for Internet Explorer is a Browser Helper Object that
provides several features including: search, pop-up blocker, ICQmail
notifier, RSS feeds and others. The ICQ toolbar, is one of the various
products offered by ICQ and it is available for download at
http://download.icq.com/download/toolbar/
A problem was found in the way the ICQ Toolbar implements its web
configuration interface that lets attackers controlling a malicious
website change the ICQ toolbar's configuration settings without users of
the ICQ toolbar for Internet Explorer noticing that an attack is taking
place.
Additionally, Cross Site Scripting vulnerabilities in the RSS Feeds
interface could allow malicious RSS feeds to execute scripting code in
the context of the Feeds interface, and allow attackers to access (and,
in specific cases, change) configuration settings.
*Vulnerable Packages:*
The following AOL/ICQ software products are affected by these issues:
Remote configuration vulnerability
- ICQ Toolbar 1.3 for Internet Explorer
Malicious RSS feed vulnerability
- ICQ Toolbar 1.3 for Internet Explorer
The ICQ Toolbar for Windows 98/ME was not included in our tests.
Nevertheless, it is likely to be vulnerable.
*Non-vulnerable Packages:*
- ICQ Search Plugin for Mozilla / Firefox.
*Solution/Vendor Information:*
Statement provided by AOL Product Vulnerabilities team:
"AOL has recently been made aware of two vulnerabilities in the various
versions of the ICQ Toolbar. Successful exploitation of the first
vulnerability may allow an attacker to alter non-critical configuration
information for the Toolbar by tricking a user into visiting a malicious
website. The second vulnerability affects versions of the ICQ Toolbar
that have RSS feed capability. An attacker may be able to trick a user
into loading a malicious RSS feed that contains malicious cross-site
scripting code.
Solutions / Workarounds:
Remote configuration vulnerability
- Users should carefully inspect the source of any web-based
configuration files they use to configure their ICQ Toolbar.
Malicious RSS feed vulnerability
- Users are recommended to use the ICQ Toolbar 1.2 which is packaged
with ICQ 5.1; ICQ Toolbar 1.2 does not have RSS feed capability."
*Credits:*
Luciana Tabo, Lucas Lavarello, Sebastian Cufre, Ezequiel Gutesman and
Javier Garcia Di Palma from Core Security Technologies discovered and
tested these vulnerabilities during Core Security’s Bugweek 2006.
*Technical Description - Exploit/Concept Code:*
[Web configuration Interface]
The ICQ Toolbar provides a web-based configuration interface that is
implemented through a plain simple HTML page. Whenever a user clicks on
“Toolbar Options,” Internet Explorer is directed to a local webpage
called “options2.html” that resides in the directory where the toolbar
was installed.
Most Internet Explorer toolbars in use are now providing web-based
configuration interfaces that either take you to an online website or,
as in this case, to a local page. In all of these cases, basic security
mechanisms must be implemented to prevent attackers from crafting
malicious web pages that could either change or read toolbar
configuration settings.
As mentioned before, the ICQ toolbar configuration web page provides a
list of standard checklist controls that either enable or disable
certain toolbar features when checked/unchecked by the user. Whenever
one of these checklist controls is clicked, the toolbar internally
handles the onClick event and carries out any corresponding actions.
The first issue derives from the fact that the ICQ Toolbar isn't
validating either the location or the originating source from where the
configuration web page is loaded. Therefore, the toolbar can either be
configured from the local system (as expected) or from anywhere in the
online world.
This enables anyone to simply copy the contents of the locally stored
“options2.html” file and place it as an html file hosted in any website,
such as the attacker’s favorite .com domain.
Secondly, the way in which each checkbox control is associated to a
configuration setting is by simply matching the ID attribute of each
HTML checkbox tag to a list of expected configuration IDs. This enables
an attacker to change the external representation of a checkbox control
in order to disguise an attack. As far as the ID attribute matches a
corresponding configuration setting, the attacker can present to the
user any HTML for rendering and presentation in the browser. By
combining both problems, an attacker can easily read and change ICQ
toolbar configuration settings.
For example, here is what the checkbox for enabling automatic ICQ
Toolbar updates looks like in the ‘official’ configuration interface
(options2.html):
<input type="checkbox" id="UpdateAutomatically"><font face="Tahoma"
size="2">Update ICQ Toolbar automatically</font>
The following checkbox will also work the same way:
<input type="checkbox" id="UpdateAutomatically"><font face="Tahoma"
size="2">I’m 21 years old or older.</font>
In such a scenario, a commonly seen disclaimer page with a checkbox is
used to disguise an attack that changes toolbar settings.
Although we tried to automate the "clicking" process in order to skip
the need of having the victim click on the checkbox control, the toolbar
seems to actually require the user to generate the Click event.
[Cross Site Scripting vulnerabilities in the RSS Feed module]
Cross Site Scripting vulnerabilities were found in the RSS Feed module
provided by the ICQ Toolbar for Internet Explorer. The issues emerge at
the time of displaying items from an RSS feed and could provide
attackers with a way to access or change configuration settings.
Specifically, we found the title and description fields of the item
element included in a standard RSS feed XML document to be ‘vulnerable’
to Cross Site Scripting vulnerabilities. The issue resides in the fact
that the application is appending the contents of both fields directly
in HTML output without first performing any sanitation or encoding on
them. This would allow an attacker with control on the contents of these
fields to insert Javascript code that will then be executed in the
user's browser. We haven’t tested all possible RSS tags and therefore
believe more tags may carry the same problem.
A sample XML document describing a malicious RSS feed would look like
this:
<?xml version="1.0" encoding="iso-8859-1" ?>
<rss version="2.0">
<channel>
<title>Sample evil feed</title>
<link>http://evilfeed</link>
<description>This is a sample evil RSS feed!</description>
<language>en-us</language>
<item>
<title>Stealing your RSS feeds!</title>
<link>http://localhost</link>
<description><img src="javascript:var
url=parent.left.external.GetDataFile();var%20a=parent.left.load_xml(url);var
b=parent.left.parse_tree_data(a, 0, url,'');alert(b)"></description>
<pubDate>2006-07-20</pubDate>
</item>
</channel>
</rss>
The document above will show a MessageBox with the contents of the
toolbar’s data file where the RSS feeds configuration are stored.
An attacker could also:
- Steal the contents of the RSS feeds configuration file.
- Call toolbar methods from the “external” object (RefreshRSS, OpenFeed,
MarkAsRead, OpenRSSDialog, CloseRSSFrame, SetRSSNotificationFlag,
OpenRSSNewDialog...)
- Control the contents of the HTML document that is displayed to the
client in order to trick the victim into several "classic" phishing
attack scenarios.
- etc.
*Workaround:*
Either remove or disable the toolbar in Internet Explorer. Note that
hiding the toolbar through View->Toolbars and unchecking the ICQ toolbar
option DOES NOT disable the toolbar; it just hides it.
The toolbar can easily be removed through the 'Add or Remove Programs'
snap-in provided by Windows's Control Panel or disabled by renaming the
'toolbaru.dll' from the toolbar's installation directory.
*About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies.
We conduct our research in several important areas of computer security
including system vulnerabilities, cyber attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs/
*About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide. The company’s flagship
product, CORE IMPACT, is the first automated penetration testing product
for assessing specific information security threats to an organization.
Penetration testing evaluates overall network security and identifies
what resources are exposed. It enables organizations to determine if
current security investments are detecting and preventing attacks. Core
augments its leading technology solution with world-class security
consulting services, including penetration testing, software security
auditing and related training.
Based in Boston, MA. and Buenos Aires, Argentina, Core Security
Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.
*DISCLAIMER:*
The contents of this advisory are copyright (c) 2006 CORE Security
Technologies and (c) 2006 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.
$Id: ICQToolbar-advisory.txt,v 1.11 2006/09/07 19:56:16 carlos Exp $