Document Title:
===============
ICQ v7.5 Software - RTF Denial of Service Vulnerability


References (Source):
====================
Article:	http://www.vulnerability-lab.com/get_content.php?id=236
Download:	http://www.vulnerability-lab.com/resources/videos/235.wmv
View: 		http://www.youtube.com/watch?v=7I1JNUWLeec


Release Date:
=============
2011-07-28


Vulnerability Laboratory ID (VL-ID):
====================================
236


Product & Service Introduction:
===============================
Mit der Chat-Software ICQ 7.5 bleiben Sie mit Ihren Freunden auf der ganzen Welt in Kontakt. 
Die neue Version gibt es exklusiv bei CHIP Online zum Download.
 
Fotostrecke: ICQ 7.5 - Next Generation Messenger Mit dem kostenlosen ICQ lassen sich schnell 
Text-Mitteilungen und Dateien zwischen angemeldeten Nutzern verschicken. Zudem können Sie gegen 
Ihre Freunde in Online-Games antreten, Fotos miteinander austauschen oder coole Animationen auf 
das Chat-Fenster des Gegenüber zaubern. Dank der integrierten Audio- und Video-Chatfunktion können 
Besitzer eines Headsets und/oder einer Webcam mit ICQ kostenlos miteinander telefonieren, auf 
Wunsch sogar samt Live-Bild.

Kompatibel zu sozialen Netzwerken
Neben der reinen Messenger-Funktionen haben Sie mit ICQ direkten Zugriff auf Social-Networks wie 
Facebook (inklusive Facebook Chat), Twitter, YouTube oder Flickr.

So können Sie Ihren ICQ-Status nun automatisch auf Ihrer Facebook- oder Twitter-Seite veröffentlichen 
oder schnell und einfach Bilder und Links austauschen. Umgekehrt sehen Sie im neuen Tab »Feeds from 
Friends« in der ICQ-Kontaktliste auch sämtliche Updates Ihrer Freunde in deren sozialen Netzwerken. 
Neue Postings lassen sich direkt aus ICQ heraus kommentieren.

Neue Funktionen in der Version 7.5
    Verbesserter Audio- & Video-Chat
    Mehr als 80 Moods versetzen ICQ in Stimmung
    Einfacher Zugriff auf Emoticons und -tZers über ICQ-Galerie
    Datenschutzsymbole in der ICQ-Kontaktliste zeigen, welche Kontakte gesperrt sind etc.

(Copy of the Homepage: http://www.chip.de/downloads/ICQ_13004923.html )


Abstract Advisory Information:
==============================
Vulnerability Lab Team discovered a remote Denial of Service Vulnerability on ICQ 7.5 Software Client.


Vulnerability Disclosure Timeline:
==================================
2011-07-29:	Public or Non-Public Disclosure


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A remote denial of service vulnerability is detected on the new ICQ 7.5 Software.
The bug allows an remote attacker to crash a receiver client stable. The bug is 
located on the MUIMessage.dll of the icq client software.

Vulnerable Module(s):
			                        [+] MUIMessage.dll




Pictures:
			../1.png
			../2.png
			../3.png
			../4.png


Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers via user interaction. For demonstration ...

The following file and payload can be used to trigger the described vulnerability (send to victim as file):

--- SNIP ---

sh3ll$ echo "0" > \<iframe src\=\"icq.com\"\ onload\=alert\('0x90'\)\>.rtf

--- SNIP ---

Now, an attacker only needs to send this file to the victim. It will crash the
ICQ client of the victim whenever the attacker cancels the filetransfer.
Afterwards whenever the victim is trying to send a message to the attacker, it
will crash after a few seconds...
So this could be a "Cross-Site Scripting leading to Denial of Service"? :)

For a PoC demonstration see: http://www.youtube.com/watch?v=7I1JNUWLeec



Reports:
				../AppCrash_ICQ.exe_79479165791fdbe792d6fa5afd9dbc43b9dbaf_01510f87
				../AppCrash_ICQ.exe_79479165791fdbe792d6fa5afd9dbc43b9dbaf_02058c26


Solution - Fix & Patch:
=======================
ICQ has to validate input, sanitize output, handle file names and file types
properly.


Security Risk:
==============
The security risk of the remote denial of service vulneability is estimated as medium.


Credits & Authors:
==================
Vulnerability Research Laboratory
Levent Kayan (noptrix) & Benjamin Kunz M. (rem0ve)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    admin@vulnerability-lab.com 	- support@vulnerability-lab.com 	       - research@vulnerability-lab.com
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.

    				   	Copyright © 2012 | Vulnerability Laboratory