icq99.web.server.txt

1999-08-17T00:00:00
ID PACKETSTORM:12018
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Date: Mon, 5 Apr 1999 23:50:56 +0200  
From: Jan Vogelgesang <wj.Vogelgesang@SAARBRUECKEN.NETSURF.DE>  
To: BUGTRAQ@netspace.org  
Subject: security hole in ICQ-Webserver  
  
Hi,  
Some days ago i've read a message here in Bugtraq from Ronald A. Jarell   
about a vulnerability in the ICQ-Webserver . I tried to reproduce this   
vulnerability with my computer (win95) and find out the following:  
-sending any non-http stuff or even a simple "get" (without any other   
characters however) crashes the ICQ-Client. This works with ICQ99a V2.13   
Build 1700, but not with Build 1547.  
  
Moreover, there is a much bigger hole in the ICQ-Webserver: If you have   
the webserver enabled, everyone can access your complete(!) harddisk   
with a simple webbrowser. When your page is activated and you are online,   
each request to "http://members.icq.com/<your ICQ-Number>" will be   
redirected to your computer. Thus, every visitor get to know your current ip.  
Nevertheless, only the files in "/ICQ99/Hompage/<your ICQ-Number>/personal"   
should be accessible. But a visitor can "climb up" the directory tree with   
some dots, e.g. "http://<yourIP>/...../a2.html" would present him the file   
"a2.html" in the "ICQ99" directory. With some more dots, he would come to   
the root-directory of your harddisk. But there is one barrier: The   
ICQ-Webserver only delivers files with a ".html" extension. After some   
experiments I found a way to trick it out: I add ".html/" to the URL and   
the Webserver sends every file I request. For instance,  
"http://<yourIP>/............./config.sys" won't work, but   
"http://<yourIP>/.html/............./config.sys" would.  
I have test this both with Build 1700 and with Build 1547.  
  
In my opinion, this is a significant security problem, because password   
files or even the registry in the windows directory can be read.  
I warned Mirabilis about it and hope they will informe the ICQ-community.  
sorry for my poor english...  
  
Jan Vogelgesang  
  
-------------------------------------------------------------------------------  
  
Date: Thu, 8 Apr 1999 08:45:48 -0400  
From: "[iso-8859-1] José Reyes Cedeño" <jreyes@CEIS.ISPJAE.EDU.CU>  
To: BUGTRAQ@netspace.org  
Subject: Re: ICQ Webserver bug  
  
>Well, my box was win 98, and the remote box I tested it against was  
>win 95. Didn't have anyone running NT handy to test against. However,  
>another person I corresponded with who was testing this did get it to  
>drop a 95 box, but not every time. Did it every time for me; but there's  
>apparently other factors that contribute as well.  
>  
>--  
>Ron Jarrell  
>VA Tech Computing Center  
  
I try to test this on my NT box ( NT server 4.00.1381, Sevice pack 3 ) and I  
could not reproduce the error. I've used ICQ Version 99a Beta v.2.13 Build  
1700. It would be beneficial if Ron Jarrell or Jan Vogelgesang, explained  
the procedure that they carried out to arrive to the error detailedly.  
  
Best regards, Jose.  
  
-------------------------------------------------------------------------------  
  
Date: Thu, 8 Apr 1999 19:35:35 +0000  
From: sven@MSC-MEDIA.COM  
To: BUGTRAQ@netspace.org  
Subject: Re: security hole (READ AS: security chasm) in ICQ-Webserver  
  
On 8 Apr, DaChronic wrote:  
> I can confirm this with Win9x but not with WinNT 4.0 sp3 and hotfixes  
> nor sp4 (can anyone else?). ..........  
  
As it was discussed some time ago in this list  
the 'more than 2 dot' feature is not working with NT.  
But it is definitely working with 95/98.  
  
Maybe replacing /.../ with /../../ will work ?  
  
CU Sven  
  
-------------------------------------------------------------------------------  
  
Date: Thu, 8 Apr 1999 18:08:06 -0700  
From: Scott <smc@visuallink.com>  
To: BUGTRAQ@netspace.org  
Subject: Re: ICQ Webserver bug  
  
I'm using Win98/4.10.1998 w/ ICQ Version 99a Beta v.2.13 Build #1700  
  
I could crash my ICQ webserver and read files remotely. When I have tried  
this on other computers, it only works some of the time, sometimes it  
returns "Forbidden" when I try to crash it or d/l files  
  
-------------------------------------------------------------------------------  
  
Date: Thu, 8 Apr 1999 19:30:18 -0400  
From: Kaven Rousseau <rousseau@GLOBETROTTER.QC.CA>  
To: BUGTRAQ@netspace.org  
Subject: Re: ICQ Webserver bug  
  
At 08:45 1999-04-08 -0400, you wrote:  
>>Well, my box was win 98, and the remote box I tested it against was  
>>win 95. Didn't have anyone running NT handy to test against. However,  
>>another person I corresponded with who was testing this did get it to  
>>drop a 95 box, but not every time. Did it every time for me; but there's  
>>apparently other factors that contribute as well.  
>>  
>>--  
>>Ron Jarrell  
>>VA Tech Computing Center  
>  
>I try to test this on my NT box ( NT server 4.00.1381, Sevice pack 3 ) and I  
>could not reproduce the error. I've used ICQ Version 99a Beta v.2.13 Build  
>1700. It would be beneficial if Ron Jarrell or Jan Vogelgesang, explained  
>the procedure that they carried out to arrive to the error detailedly.  
>  
>Best regards, Jose.  
  
  
I tested it against my own win98 box with IE5 final (english) result: I was  
vulnerable.  
My friend with win98 and ie4 (french) result: vulnerable  
An other friend with win98 and IE5 (french) result: vulnerable  
  
we were all using ICQ99a build 1700  
  
Method used:  
telnet to port 80  
send: QUIT <LF>  
it disconnects after 5 to 10 seconds.  
  
,  
|  
| Kaven Rousseau  
| rousseau@globetrotter.qc.ca  
| FingerPrint: F1C8 F915 9F0F DD5E DACB 024B 5C6F 163D F097 40D6  
`------------------- ---- -- -  
  
-------------------------------------------------------------------------------  
  
Date: Sat, 10 Apr 1999 20:45:56 +0200  
From: Frank Dekervel <kervel@SVENNIEBOY.TERBANK.KOTNET.ORG>  
To: BUGTRAQ@netspace.org  
Subject: Re: ICQ Webserver bug  
  
humm,  
  
i d like to add one last thing to this according to me much too long  
thread. (seems some writers ain't thinking about the cause)  
  
if you have a look at the pseudocode below, which i suspect mirabilis to  
use, you ll find thousands of ways to exploit icq.  
  
fread(my_socket,"%s %s %s", getword, url, httpversion);  
/// if you only feed two or one word, it 'dumps core', gpf under windoze  
change the slashes in url to backslashes;  
url = "c:\program files\icq\webroot_dir\" + url;  
/// yes, this is the '../../../../' bug ...  
open(fd,url);  
read(fd,buffer);  
write(socket,buffer);  
close(socket);  
  
  
  
i think its this because i made small webserver earlier to see common  
bugs. i checked on the net, and the dynamic server of francois piete  
(known for delphi components) and various shareware servers, or remote  
admin modules for eg. proxy servers are vulnerable.  
  
  
greetz,  
  
kervel  
(kervel@svennieboy.terbank.kotnet.org)  
  
-------------------------------------------------------------------------------  
  
Date: Sat, 1 May 1999 13:58:41 +0200  
From: Jan Vogelgesang <wj.Vogelgesang@SAARBRUECKEN.NETSURF.DE>  
To: BUGTRAQ@netspace.org  
Subject: Update: security hole in the ICQ-Webserver  
  
Hi,  
some weeks ago, I wrote a message about an security hole in the ICQ-webserver (look at  
http://www.geek-girl.com/bugtraq/1999_2/0028.html to read it again). Mirabilis found the bug and fixed it with Build 1701, that  
can be downloaded from the http://www.icq.com/download/ . But they don't put a warning on their Webpage and inform the  
ICQ-community about the bug. That's bad.  
  
Moreover, the fix leaves a small problem (not really a bug) in the Webserver:  
  
----describtion of the security problem in Build 1701 ----  
Problem: When the ICQ-Webserver is enabled (i.e. "Activate Hompage" is checked) everybody can test if a specific file exsist on  
this computer. Although an attacker can't view the contents of the files, he can test, for example, if a certain application is  
installed on this computer. This knowledge is usefull to prepare other attacks, e.g. sending specialized macro viruses or do  
some specialized D.o.S. - attacks.  
Details: Mirabilis fixed the old ICQ-Webserver-Bug. With the new version (build 1701), the ICQ-webserver would only deliver  
Files in the ICQ-Homapge-directory. If an attacker tries to read a file that is not in the hompage-directory of ICQ99 (with the  
same method as in the old bug), the ICQ-webserver would'n deliver the file. If the file exsists on the specific location the  
attacker would receive "403 Forbidden". If the file doesn't exsist he would receive "404 Not Found". Thus, he can test if a  
specific file exsist.  
It seems that the ICQ-Webserver first tests if the requested file exsists and than if the request is secure. I think, this order  
should be reversed.  
  
  
Jan Vogelgesang  
  
`