Paul Wilders
July 17th, 2002, 04:06 AM
"It does infact allow you to run code of your choosing on a victims machine by creating a specially crafted webpage and sound scheme file
Explaination and example
The finder has created an example exploit on:
www.xs4all.nl/~jkuperus/icq/icq.htm (http://www.xs4all.nl/~jkuperus/icq/icq.htm)
that starts a little flame program
It works as followed
the default action for icq soundscheme (scm) files is open it places the wav files included with the scm file in a known location on the hard disk.
flame.scm wil be downloaded and installed in C:Program FilesICQSoundsflame[1]
the scm file i use creates a auth.wav file .
In reality however this is not a wav file but a mht (mail archive file) with en embeded base64 encoded executable
then he uses one of the many available local code execution vulnerabilities found in internet explorer recently to execute the embedded binary with this url :
deleted - Forum Admin
The author doesn't think its necessary to use one of ie's exploit as you can also call html files in the mht archive, But for some reason wasn't able to get this to work right away.
Workaround
For a short term solution
open explorer (the file manager not the browser)
go to the file types tab in tools > folder options
locate the scm extention and change the default behaviour to prompt before download
In the long term icq will have to use something like random foldernames for soundschemes to prefent this from happening."
---
note: using the mentioned URL is your own responsebility - Forum Admin
regards.
paul
Explaination and example
The finder has created an example exploit on:
www.xs4all.nl/~jkuperus/icq/icq.htm (http://www.xs4all.nl/~jkuperus/icq/icq.htm)
that starts a little flame program
It works as followed
the default action for icq soundscheme (scm) files is open it places the wav files included with the scm file in a known location on the hard disk.
flame.scm wil be downloaded and installed in C:Program FilesICQSoundsflame[1]
the scm file i use creates a auth.wav file .
In reality however this is not a wav file but a mht (mail archive file) with en embeded base64 encoded executable
then he uses one of the many available local code execution vulnerabilities found in internet explorer recently to execute the embedded binary with this url :
deleted - Forum Admin
The author doesn't think its necessary to use one of ie's exploit as you can also call html files in the mht archive, But for some reason wasn't able to get this to work right away.
Workaround
For a short term solution
open explorer (the file manager not the browser)
go to the file types tab in tools > folder options
locate the scm extention and change the default behaviour to prompt before download
In the long term icq will have to use something like random foldernames for soundschemes to prefent this from happening."
---
note: using the mentioned URL is your own responsebility - Forum Admin
regards.
paul