Multiple vulnerabilities in ICQ Toolbar 1.3 for Internet Explorer

Multiple vulnerabilities in ICQ Toolbar 1.3 for Internet Explorer

Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/

Date Published: 2006-09-07

Last Update: 2006-09-06

Advisory ID: CORE-2006-0322

Bugtraq ID:

19900

CVE Name:

CVE-2006-4660 / CVE-2006-4661

Title: Multiples vulnerabilities in ICQ Toolbar 1.3 for Internet Explorer

Class: Access Validation Error/Design Error, Input validation error

Remotely Exploitable: Yes

Locally Exploitable: Yes

Advisory URL: http://www.coresecurity.com/?action=item&id=1510

*Vendors contacted:*

America Online Inc.
. 2006-07-27: Initial notification sent to vendor, advisory release date set for Aug. 14th.
. 2006-07-27: Vendor response acknowledging notification.
. 2006-08-11: Request for an update sent to vendor asking for an estimated date for fix availability.
. 2006-08-14: Request for an update sent to vendor asking for an estimated date for fix availability, advisory release date now set for Aug. 22nd.
. 2006-08-15: Vendor response received. Still determining when a fix will be available. A new update from the vendor forthcoming before Aug. 22nd.
. 2006-08-16: Vendor email received requesting further technical details or proof-of-concept code.
. 2006-08-17: Core response vendor: proof-of-concept for the ICQ client bug can not be made available as standalone program without incurring in a substantial development effort.
. 2006-08-21: Vendor email describing coordination issues with ICQ
development team. No fix schedule provided
. 2006-08-21: In liue of proof-of-concept, Core provides succinct technical explanation of the problem in the ICQ 2003b client.
. 2006-08-29: Updated advisory sent to vendor requesting comments and fix availability information. Advisory release date now set for Aug. 31st.
. 2006-08-30: Vendor response received stating that 30 days is insufficient to fix bugs and reiterating the previously ntoed coordination and communications problems with engineering team at remote facilities. No tentative fix schedule made available, earliest date for an official vendor statement about fixes is Sept. 1st
. 2006-08-30: Core response to vendor, publication of advisories will be delayed until Sept. 6th in order to receive offical statement from vendor. Baring a precise schedule that demonstrates an imminent release of fixes the publication date is final.
. 2006-08-30: Vendor provides an official statement.
. 2006-09-07: Advisory published.

Release Mode: USER RELEASE


*Vulnerability Description:*

Security problems found in the ICQ Toolbar v1.3 may allow attackers to control and change configuration settings and to inject scripting code in RSS feed contents and execute it in the contetxt of the feed interface (IE's Local Zone)

ICQ Toolbar 1.3 for Internet Explorer is a Browser Helper Object that provides several features including: search, pop-up blocker, ICQmail notifier, RSS feeds and others. The ICQ toolbar, is one of the various products offered by ICQ and it is available for download at
http://download.icq.com/download/toolbar/

A problem was found in the way the ICQ Toolbar implements its web configuration interface that lets attackers controlling a malicious website change the ICQ toolbar's configuration settings without users of the ICQ toolbar for Internet Explorer noticing that an attack is taking place.

Additionally, Cross Site Scripting vulnerabilities in the RSS Feeds interface could allow malicious RSS feeds to execute scripting code in the context of the Feeds interface, and allow attackers to access (and, in specific cases, change) configuration settings.

*Vulnerable Packages:*

The following AOL/ICQ software products are affected by these issues:

Remote configuration vulnerability
- ICQ Toolbar 1.3 for Internet Explorer

Malicious RSS feed vulnerability
- ICQ Toolbar 1.3 for Internet Explorer

The ICQ Toolbar for Windows 98/ME was not included in our tests.
Nevertheless, it is likely to be vulnerable.

*Non-vulnerable Packages:*

- ICQ Search Plugin for Mozilla / Firefox.

*Solution/Vendor Information:*

Statement provided by AOL Product Vulnerabilities team:
"AOL has recently been made aware of two vulnerabilities in the various versions of the ICQ Toolbar. Successful exploitation of the first
vulnerability may allow an attacker to alter non-critical configuration information for the Toolbar by tricking a user into visiting a malicious
website. The second vulnerability affects versions of the ICQ Toolbar that have RSS feed capability. An attacker may be able to trick a user
into loading a malicious RSS feed that contains malicious cross-site scripting code.

Solutions / Workarounds:

Remote configuration vulnerability
- Users should carefully inspect the source of any web-based
configuration files they use to configure their ICQ Toolbar.

Malicious RSS feed vulnerability
- Users are recommended to use the ICQ Toolbar 1.2 which is packaged
with ICQ 5.1; ICQ Toolbar 1.2 does not have RSS feed capability."

*Credits:*

Lucas Lavarello, Sebastian Cufre, Ezequiel Gutesman, Javier Garcia Di Palma and Luciana Tabo from Core Security Technologies discovered and tested these vulnerabilities during Core Security’s Bugweek 2006.

*Technical Description - Exploit/Concept Code:*

[Web configuration Interface]

The ICQ Toolbar provides a web-based configuration interface that is implemented through a plain simple HTML page. Whenever a user clicks on “Toolbar Options,” Internet Explorer is directed to a local webpage called “options2.html” that resides in the directory where the toolbar was installed.

Most Internet Explorer toolbars in use are now providing web-based configuration interfaces that either take you to an online website or, as in this case, to a local page. In all of these cases, basic security mechanisms must be implemented to prevent attackers from crafting malicious web pages that could either change or read toolbar configuration settings.

As mentioned before, the ICQ toolbar configuration web page provides a list of standard checklist controls that either enable or disable certain toolbar features when checked/unchecked by the user. Whenever one of these checklist controls is clicked, the toolbar internally handles the onClick event and carries out any corresponding actions.

The first issue derives from the fact that the ICQ Toolbar isn't validating either the location or the originating source from where the configuration web page is loaded. Therefore, the toolbar can either be configured from the local system (as expected) or from anywhere in the online world.
This enables anyone to simply copy the contents of the locally stored “options2.html” file and place it as an html file hosted in any website, such as the attacker’s favorite .com domain.

Secondly, the way in which each checkbox control is associated to a configuration setting is by simply matching the ID attribute of each HTML checkbox tag to a list of expected configuration IDs. This enables an attacker to change the external representation of a checkbox control in order to disguise an attack. As far as the ID attribute matches a corresponding configuration setting, the attacker can present to the user any HTML for rendering and presentation in the browser. By combining both problems, an attacker can easily read and change ICQ toolbar configuration settings.

For example, here is what the checkbox for enabling automatic ICQ Toolbar updates looks like in the ‘official’ configuration interface (options2.html):

<input type="checkbox" id="UpdateAutomatically"><font face="Tahoma"
size="2">Update ICQ Toolbar automatically</font>

The following checkbox will also work the same way:

<input type="checkbox" id="UpdateAutomatically"><font face="Tahoma"
size="2">I’m 21 years old or older.</font>

In such a scenario, a commonly seen disclaimer page with a checkbox is used to disguise an attack that changes toolbar settings.

Although we tried to automate the "clicking" process in order to skip the need of having the victim click on the checkbox control, the toolbar seems to actually require the user to generate the Click event.

[Cross Site Scripting vulnerabilities in the RSS Feed module]

Cross Site Scripting vulnerabilities were found in the RSS Feed module provided by the ICQ Toolbar for Internet Explorer. The issues emerge at the time of displaying items from an RSS feed and could provide attackers with a way to access or change configuration settings.

Specifically, we found the title and description fields of the item element included in a standard RSS feed XML document to be ‘vulnerable’ to Cross Site Scripting vulnerabilities. The issue resides in the fact that the application is appending the contents of both fields directly in HTML output without first performing any sanitation or encoding on them. This would allow an attacker with control on the contents of these fields to insert Javascript code that will then be executed in the user's browser. We haven’t tested all possible RSS tags and therefore believe more tags may carry the same problem.

A sample XML document describing a malicious RSS feed would look like this:

<?xml version="1.0" encoding="iso-8859-1" ?>
<rss version="2.0">
<channel>
<title>Sample evil feed</title>
<link>http://evilfeed</link&gt;
<description>This is a sample evil RSS feed!</description>
<language>en-us</language>
<item>
<title>Stealing your RSS feeds!</title>
<link>http://localhost</link&gt;

<description>&lt;img src="javascript:var url=parent.left.external.GetDataFile();var%20a=parent.left.load_xml(url);var b=parent.left.parse_tree_data(a, 0, url,'');alert(b)"&gt;</description>

<pubDate>2006-07-20</pubDate>
</item>
</channel>
</rss>

The document above will show a MessageBox with the contents of the toolbar’s data file where the RSS feeds configuration are stored.
An attacker could also:
- Steal the contents of the RSS feeds configuration file.
- Call toolbar methods from the “external” object (RefreshRSS, OpenFeed, MarkAsRead, OpenRSSDialog, CloseRSSFrame, SetRSSNotificationFlag, OpenRSSNewDialog...)
- Control the contents of the HTML document that is displayed to the client in order to trick the victim into several "classic" phishing attack scenarios.
- etc.

*Workaround:*

Either remove or disable the toolbar in Internet Explorer. Note that hiding the toolbar through View->Toolbars and unchecking the ICQ toolbar option DOES NOT disable the toolbar; it just hides it.

The toolbar can easily be removed through the 'Add or Remove Programs' snap-in provided by Windows's Control Panel or disabled by renaming the 'toolbaru.dll' from the toolbar's installation directory.

*About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies.

We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies.

CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs/

*About Core Security Technologies*

Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide. The company’s flagship product, CORE IMPACT, is the first automated penetration testing product for assessing specific information security threats to an organization.

Penetration testing evaluates overall network security and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core augments its leading technology solution with world-class security consulting services, including penetration testing, software security auditing and related training.

Based in Boston, MA. and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.

*DISCLAIMER:*

The contents of this advisory are copyright (c) 2006 CORE Security Technologies and (c) 2006 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

$Id: ICQToolbar-advisory.txt,v 1.10 2006/09/06 20:55:41 carlos Exp $