Rocco Strange

Got this today:

"I have created an example exploit on

http://www.xs4all.nl/~jkuperus/icq/icq.htm

that starts a little flame program

It works as followed

the default action for icq soundscheme (scm) files is open it places the wav files included with the scm file in a known location on the hard disk.

flame.scm wil be downloaded and installed in C:\Program Files\ICQ\Sounds\flame[1] the scm file i use creates a auth.wav file .

In reality however this is not a wav file but a mht (mail archive file) with en embeded base64 encoded executable

then i use one of the many available local code execution vulnerabilities found in internet explorer recently to execute the embedded binary with this url :

mhtml:file:///C:/Program%20Files/ICQ/Sounds/flame/Auth.wav!file:///C:/fire.exe

I dont think its necisary to use one of ie's exploit as you can also call html files in the mht archive, But for some reason i wasn't able to get this to work right away.


>>Workaround <<

For a short term solution

open explorer (the file manager not the browser)
go to the file types tab in tools > folder options

locate the scm extention and change the default behaviour to prompt before download

In the long term icq will have to use something like random foldernames for soundschemes to prefent this from happening"

NickB.

Now this is usefull info!!!
That's why I like this board!!!

RW316

thats scary... thats why i dont use icq anymore.. its unsafe and users with icq can get hacked

Naughty

Feel free to call me stupid, but...
C:/Program%20Files/ICQ/Sounds/flame/Auth.wav
I found this, now what is it we need to do to prevent what?

__________________
seks.ai for sale - ping me

Juge

THIS IS FUCKING UNREAL!!

I cannot believe ICQ does this... it shocked the hell outta me, since I thought that URL was a page that was going to explain the hack in more detail...

WOW!

This should be posted in a forum or thread where everyone can read it... to make sure everyone can read it.

Pipecrew

I hope

cheatski.com doesnt find out about this

Juge

I found that just deleting the sounds directory prevents this. I never use the sounds anyway, so I already had them turned off before I did this. ICQ doesn't seem to mind.

funkmaster

we will see this on millions of gallery pages soon. hint, if you tweek the script a little you can autoinstall dialers and shit, and ICQ is not really necessary to get it working ...

thanks for posting,idiot, twat, pissnelke !!!

.:Frog:.

I located the file but didn't see an option to "change the default behaviour to prompt before download"

How is this done?

__________________
<a href="http://www.pornopayouts.com/?rid=pp3076">PornoPayouts</a>
Tons of Hosted Galleries.

AWW - Kevin

does that apply to all versions of icq ?
if someone can help me out
icq me please
#121258311

__________________


Add Your Resource
ICQ: 1212-58311

Pipecrew

same prob, i just put "confirm after download"

Sex4it

__________________
I'm back and happy about it.

roseyrid

thats crazy, i am practically computer illeterate, and even I can figure out how to fuck with someones computer with a program like that...scary shit.

pr0

Don't use internet explorer.

Use opera www.opera.com

__________________
__________
Loadedca$h - get sum! - Revengebucks - mmm rebills! - webair (gotz sErVrz)

Juge

I don't know if my method of deleting the 'sounds' directory works for all versions of ICQ or not. All I know is that the program cannot be run, if the html file is looking for it in a directory that does not exist. So, yes, it will prevent this no matter which ICQ version you use. BUT I CANNOT GAURANTEE that it will not fuck up your ICQ. So make sure you can restore the directory if it doesn't work. (I hate those ICQ sounds, anyway, so I have them turned off.)

Also, realize that this can probably be done in other programs that auto download and install (WHY THE FUCK does windows allow this to happen? We are supposed to be able to tell windows to download or run from location for each file it downloads through IE). Winamp does this with plugins, so the same thing would be possible if the plugins go to the same directory every time.

ALSO REALIZE that these programs do not have to contain viruses that can be detected by your virus scanner. They can very well contain new viruses OR THEY COULD SIMPLY CONTAIN A PROGRAM THAT DELTREES YOUR ENTIRE SYSTEM. Virus scanners would not catch this, as it is not a virus, and does not attempt to hide itself or recreate itself.

This is too fucking crazy, and makes me mad that idiots can allow for such stupid security flaws. Windows, ICQ, winamp, and any other program that sets its file associations to allow for auto download and auto run, are all to blame. All in the effort to make these programs easy for morons to install, because they can't remember where files go when they get downloaded.

.:Frog:.

Thats exactly what I selected.

__________________
<a href="http://www.pornopayouts.com/?rid=pp3076">PornoPayouts</a>
Tons of Hosted Galleries.

Evil Chris

Neither Funbrunette or I have been able to log on to ICQ today...
I hope this isn't the reason why....

__________________

SunTzu

Anyone ever try the icq alternatives? Like SecureICQ?

Take a look: http://download.com.com/3120-2001-0-...re+icq&ca=2001

foe

Trillian

Naughty

Another thing is that my ICQ sounds don't work anymore now. WTF??

Tell me how to fix that too if you please, this wasn't a funny thread

Naughty

Fuck it, I got it

Juge

I think I know what happened... the webpage automatically downloads the file (which has a hidden .exe in it) because it has it named as a ICQ sounds theme - so ICQ is the culprit automatically downloading and installing this crap (fucking programs no wonder there is so many security leaks, it should have to ASK before downloading AND before installing), anyway, it auto downloads, and then attempts to install it - but it can't install it because it's not an ICQ sounds theme file - it's a text file with a hidden compressed .exe in it that is just renamed to look like an ICQ sounds theme so the stupid insecure ICQ program can download it onto your drive... so now your ICQ's sound theme is set to something invalid. You have to set it back...

HQ

Didn't work on my system.

Is that because I have ICQ sounds turned off or because I have Windows XP or ...?

jimmyf

I should not have any problem...as I have ICQ installed on my D: drive. but am going to check anyway.

__________________
Epic CashEpic Cash works for me
Solar Cash Paysite Plugin
Gallery of the day freesites,POTD,Gallery generator with free hosting

ServerGenius

it's quite easy to run locate the file by script and pipe the result
to the next action

DynaMite

__________________
| http://www.sinnerscash.com/ | ICQ: 370820 | Skype: SinnersCash | AdultWhosWho |

jimmyf

Like I said am going to check anyway. I did and found nothing.

__________________
Epic CashEpic Cash works for me
Solar Cash Paysite Plugin
Gallery of the day freesites,POTD,Gallery generator with free hosting

easyjesus

As long as your running a firewall, and dont have the firewall set to let programs automatically do shit like that, your FINE!

__________________
Loved By Some, Hated By Most....
<a href="http://www.unclejimsporn.com">http://www.unclejimsporn.com</a>
<a href="http://www.cousindirty.com">http://www.cousindirty.com</a>
<a href="http://www.drunkspringbreakchics.com">http://www.drunkspringbreakchics.com</a>

Juge

I have a firewall, but it didn't block this program from being run, according to the default settings.

It didn't stop it from downloading the files since it has given ICQ the right to download sound themes (the .exe was hidden in a sound themes file). And then the html runs the hidden file (somehow - I didn't really look to see what was going on) from your own computer... I am not sure why it let this happen, but I do know that a lot of programs are run on your own computer without your permission...

Has anyone analyzed the file, yet?

Theo

good catch!