AOL ICQ ActiveX DownloadAgent vulnerability

2006-12-15T00:00:00
ID SAINT:977EB607B9BF00FAB4556D3A36A05E83
Type saint
Reporter SAINT Corporation
Modified 2006-12-15T00:00:00

Description

Added: 12/15/2006
CVE: CVE-2006-5650
BID: 20930
OSVDB: 30220

Background

America Online (AOL) ICQ is a widely used program for communicating with other users on the Internet.

Problem

The **ICQPhone.SipxPhoneManager** ActiveX control, which is installed with ICQ, includes a function called **DownloadAgent** which downloads a file from a specified URL and executes it. This allows attackers to execute arbitrary commands by messaging an ICQ user.

Resolution

AOL issued an update on October 31, 2006 which fixes the vulnerability. The update is automatically applied when a user connects to the ICQ service.

References

<http://archives.neohapsis.com/archives/fulldisclosure/2006-11/0087.html>

Limitations

Exploit works on AOL ICQ 5.1 and requires a user to click on a link to the exploit.

Platforms

Windows