AOL ICQ Vulnerability
Created 1/25/02
CVE 2002-0028
Impact
A remote attacker may be able to execute arbitrary code with
the privileges of the victim user.
Background
ICQ
is a widely used program for communicating with other users
over the Internet. Upon installation of an ICQ client, the user
is asked to register with a server which is used to identify
the client to the ICQ community and to help clients communicate
with one another.
ICQ clients recognize a number of messages which are used by
servers and other clients for communication. One such message,
the Voice Video & Games feature request message, is an invitation
from another ICQ user to participate interactively in a third-party
application.
The Problem
A buffer overflow in the processing of Voice Video & Games
feature request messages by ICQ clients could allow an
attacker to execute arbitary commands. AOL ICQ servers are
now configured to filter out messages which attempt to
exploit this vulnerability. However, exploitation is still
possible using a direct connection from one client to another,
a non-AOL ICQ server, or by impersonating the AOL ICQ server
by DNS spoofing or other means.
AOL Mirabilis ICQ version 2001A and earlier are affected
by this vulnerability, as is version 2001B
if the Voice Video & Games plug-in is installed.
Resolution
Upgrade to
ICQ version 2001B Beta v5.18 Build #3659 or higher. The installer for
this version will delete the vulnerable plug-in.
Where can I read more about this?
This vulnerability was reported in
CERT
Advisory 2002-02.