ICQ Client My Computer区域 Internet Explorer COM对象处理标语 跨应用程序脚本攻击(XAS)漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1195033 漏洞类型 输入验证
发布时间 2006-05-09 更新时间 2007-02-20
CVE编号 CVE-2006-2303 CNNVD-ID CNNVD-200605-214
漏洞平台 N/A CVSS评分 6.4
|漏洞来源
https://www.securityfocus.com/bid/17913
https://cxsecurity.com/issue/WLB-2006050065
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200605-214
|漏洞详情
ICQClient5.04build2321及之前版本存在跨应用程序脚本攻击(XAS)漏洞。远程攻击者可以借助在MyComputer区域使用InternetExplorerCOM对象处理的标语,将任意Web脚本从一个应用程序注入到另一个应用程序。
|漏洞EXP

QQLan QQlan (at) yandex (dot) ru [email concealed] reported vulnerability in multiple versions of ICQ
Inc.'  ICQ instant messenger client in a way it interacts with Microsoft
Internet Explorer.

Author:                 QQlan <QQlan (at) yandex (dot) ru [email concealed]>
Title:                  ICQ Client Cross-Application Scripting (XAS)
Vendor:                 ICQ Inc.
Application:            ICQ
Versions:               up to and including 5.04 build 2321
Vulnerability class:    man-in-the-middle, against client
Vulnerability type:     cross application scripting (My Computer zone)
Risk level:             low (high, if unsecured shared network is used)

Intro:

ICQ is probably most popular instant messaging application by ICQ Inc.

Description:

Under some conditions, ICQ client is vulnerable to remote script injection into
My Computer Security Zone of Internet Explorer component used to display
advertisement banners.

Detailed description:

<quote src=http://www.security.nnov.ru/Jdocument327.html>
Cross  application  scripting  (XAS)  is  possible  when  an application
executes  data in a security context different from the original content
(presumably  one  with less security restrictions). For example the data
may  be obtained from an un-trusted source (a remote web server) that is
sent  unfiltered  into a trusted application such as when web content is
downloaded  from  a  remote  server,  and then re-displayed on the local
host.  Any  application  that  downloads  and  then  later  displays and
executes web content (such as JavaScript) may be vulnerable to XAS.
</quote>

ICQ Client has very annoying advertising function. Banners are displayed
inside  Internet Explorer COM object embedded into main window, ?Welcome
Screen?  and  every  ?Message  Session?  dialogs.  Under  some condition
attacker  can  replace  HTML content in this forms with malicious script
which  will  be  executed  in  My  Computer  security  zone  of Internet
Explorer.

Technical information will be published (three months maybe years later)
after vendor provide a patch.

Workaround:

1. Press Ctrl+Shift+Esc
2. In File/Run menu type cmd.exe
3. In cmd.exe console type
echo 127.0.0.1  ar.atwola.com  >> %SystemRoot%system32driversetchosts

Disclosure timeline:

5/2005 Vulnerability discovered
4/2006 Last attempt to contact vendor
5/2006 Public disclosure

-- 
/3APA3A
http://www.security.nnov.ru/
|受影响的产品
Icq ICQ 5.04 build 2321 Icq ICQ 5.03 Icq ICQ 5.02 Icq ICQ 4.14 Icq ICQ 4.13
|参考资料

来源:BUGTRAQ
名称:20060509ICQClientCross-ApplicationScripting(XAS)
链接:http://www.securityfocus.com/archive/1/archive/1/433360/100/0/threaded
来源:SECTRACK
名称:1016045
链接:http://securitytracker.com/id?1016045
来源:XF
名称:icq-banner-xas(26386)
链接:http://xforce.iss.net/xforce/xfdb/26386
来源:BID
名称:17913
链接:http://www.securityfocus.com/bid/17913
来源:VUPEN
名称:ADV-2006-1765
链接:http://www.frsirt.com/english/advisories/2006/1765
来源:SREASON
名称:868
链接:http://securityreason.com/securityalert/868
来源:SECUNIA
名称:20010
链接:http://secunia.com/advisories/20010
来源:FULLDISC
名称:20060509ICQClientCross-ApplicationScripting(XAS)
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2006-May/045916.html