Bug: ICQ Client Cross-Application Scripting (XAS) ( Ascii Version )

Search:
WLB2

ICQ Client Cross-Application Scripting (XAS)

Published
Credit
Risk
2006.05.12
3APA3A (3APA3A SECURITY NNOV RU)
Low
CWE
CVE
Local
Remote
N/A
CVE-2006-2303
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.4/10
4.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
None


QQLan QQlan (at) yandex (dot) ru [email concealed] reported vulnerability in multiple versions of ICQ
Inc.' ICQ instant messenger client in a way it interacts with Microsoft
Internet Explorer.

Author: QQlan <QQlan (at) yandex (dot) ru [email concealed]>
Title: ICQ Client Cross-Application Scripting (XAS)
Vendor: ICQ Inc.
Application: ICQ
Versions: up to and including 5.04 build 2321
Vulnerability class: man-in-the-middle, against client
Vulnerability type: cross application scripting (My Computer zone)
Risk level: low (high, if unsecured shared network is used)

Intro:

ICQ is probably most popular instant messaging application by ICQ Inc.

Description:

Under some conditions, ICQ client is vulnerable to remote script injection into
My Computer Security Zone of Internet Explorer component used to display
advertisement banners.

Detailed description:

<quote src=http://www.security.nnov.ru/Jdocument327.html>
Cross application scripting (XAS) is possible when an application
executes data in a security context different from the original content
(presumably one with less security restrictions). For example the data
may be obtained from an un-trusted source (a remote web server) that is
sent unfiltered into a trusted application such as when web content is
downloaded from a remote server, and then re-displayed on the local
host. Any application that downloads and then later displays and
executes web content (such as JavaScript) may be vulnerable to XAS.
</quote>

ICQ Client has very annoying advertising function. Banners are displayed
inside Internet Explorer COM object embedded into main window, ?Welcome
Screen? and every ?Message Session? dialogs. Under some condition
attacker can replace HTML content in this forms with malicious script
which will be executed in My Computer security zone of Internet
Explorer.

Technical information will be published (three months maybe years later)
after vendor provide a patch.

Workaround:

1. Press Ctrl+Shift+Esc
2. In File/Run menu type cmd.exe
3. In cmd.exe console type
echo 127.0.0.1 ar.atwola.com >> %SystemRoot%system32driversetchosts

Disclosure timeline:

5/2005 Vulnerability discovered
4/2006 Last attempt to contact vendor
5/2006 Public disclosure

--
/3APA3A
http://www.security.nnov.ru/

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version