Advisory Details

November 6th, 2006

America Online ICQ ActiveX Control Code Execution Vulnerability

ZDI-06-037
ZDI-CAN-102

CVE ID CVE-2006-5650
CVSS SCORE
AFFECTED VENDORS America Online
AFFECTED PRODUCTS ICQ
TIPPINGPOINT™ IPS CUSTOMER PROTECTION TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 4725. For further product information on the TippingPoint IPS: http://www.tippingpoint.com
VULNERABILITY DETAILS

This vulnerability allows attackers to execute arbitrary code on vulnerable installations of AOL ICQ. User interaction is not required to exploit this vulnerability.

The specific flaw exists in the DownloadAgent function of the ICQPhone.SipxPhoneManager ActiveX control with the following CLSID:

54BDE6EC-F42F-4500-AC46-905177444300

The vulnerable function takes a single URI argument of a file to download and execute under the context of the running user. A malicious ICQ avatar can be used as an exploitation vector, allowing attackers to exploit this vulnerability by simply messaging a target ICQ user.

VENDOR RESPONSE America Online states:

AOL has issued an update to correct this vulnerability on 10/31/2006. The update is automatically applied once connected to the ICQ service.


DISCLOSURE TIMELINE
  • 2006-09-20 - Vulnerability reported to vendor
  • 2006-11-06 - Coordinated public release of advisory
CREDIT Peter Vreugdenhil
BACK TO ADVISORIES