Archive of CERT general posting, CERT Advisory CA-2002-02 Buffer Overflow in AOL ICQ

25/01/02, CERT Advisory CA-2002-02 Buffer Overflow in AOL ICQ
From: CERT Advisory <>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Subject: CERT Advisory CA-2002-02 Buffer Overflow in AOL ICQ
From: CERT Advisory <>
Date: Thu, 24 Jan 2002 14:47:30 -0500 (EST)
List-Archive: <>
List-Help: <>, <>
List-Owner: <>
List-Post: NO (posting not allowed on this list)
List-Subscribe: <>
List-Unsubscribe: <>
Organization: CERT(R) Coordination Center - +1 412-268-7090


CERT Advisory CA-2002-02 Buffer Overflow in AOL ICQ

   Original release date: January 24, 2002
   Last revised: --
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

     * AOL Mirabilis ICQ Versions 2001A and prior
     * Voice  Video  &  Games  plugin  installed  with  AOL Mirabilis ICQ
       Versions 2001B Beta v5.18 Build #3659 and prior


   There is a remotely exploitable buffer overflow in ICQ. Attackers that
   are able to exploit the vulnerability may be able to execute arbitrary
   code  with  the  privileges  of  the  victim  user.  Full  details are
   discussed  in  VU#570167.  An exploit is known to exist, but we do not
   believe  it  has been distributed in the wild. We have not seen active
   scanning  for  this vulnerability, nor have we received any reports of
   this vulnerability being exploited.

I. Description

   ICQ is a program for communicating with other users over the Internet.
   ICQ  is  widely used (by over 122 million people according to ICQ Inc,
   an  AOL Time Warner owned subsidiary). A buffer overflow exists in the
   ICQ  client  for  Windows.  The  buffer  overflow  occurs  during  the
   processing  of  a  Voice  Video  & Games feature request message. This
   message is supposed to be a request from another ICQ user inviting the
   victim to participate interactively with a third-party application. In
   versions prior to 2001B, the buffer overflow occurs in code within the
   ICQ  client.  In version 2001B the code containing the buffer overflow
   was moved to an external plug-in.

   Therefore,  all  versions  prior  to  the  latest  build  of 2001B are
   vulnerable. Upon connection to an AOL ICQ server, vulnerable builds of
   the  2001B  client  will  be  instructed  by the server to disable the
   vulnerable plug-in. Since versions of the ICQ client prior to 2001B do
   not  have  an  external  plug-in  to disable, they are vulnerable even
   after  connecting  to  the server. AOL Time Warner is recommending all
   users  of vulnerable versions of ICQ upgrade to 2001B Beta v5.18 Build

   During  normal  operation,  ICQ clients can exchange messages with one
   another through the ICQ servers or via a direct connection. The buffer
   overflow  specifically occurs during the processing of the Voice Video
   & Games request via a Type, Length, Value (TLV) tuple with type 0x2711
   from the ICQ server, or via a crafted direct connection request.

   Some  versions  of the ICQ client open port 4000/UDP for client-server
   communication.   Other   versions   open   port   5190/TCP   for  this
   communication.  As with the previously reported AIM vulnerability, AOL
   has  modified  the  ICQ  server  infrastructure  to  filter  malicious
   messages  that  attempt  to  exploit this vulnerability, preventing it
   from  being  exploited  through  an  AOL  ICQ  server.  Exploiting the
   vulnerability   through   other   means   (man-in-the-middle  attacks,
   third-party  ICQ  servers,  DNS  spoofing, network sniffing, etc.) may
   still  be  possible.  Also,  since  UDP  packets can be broadcast on a
   network,  a  malicious TLV packet with a spoofed source IP address may
   be accepted as a legitimate server message.

   The ICQ client also listens on a variably assigned TCP port for direct
   connection  requests.  A  person  who  wishes  to  establish  a direct
   connection  can  query  an ICQ server for the IP address and listening
   port of the victim. Versions 2000A and prior accept direct connections
   from  anyone  by  default.  Later versions of ICQ can be configured to
   accept  direct connections from anyone. Since ICQ requests can be sent
   directly  from  one  client  to  another,  blocking requests through a
   central  server  is not a completely effective solution. The effective
   solution  is  to  apply a patch, when available, that fixes the buffer
   overflow,  or  upgrade  to 2001B Beta v5.18 Build #3659 with the Voice
   Video & Games feature disabled.

   This  vulnerability  has been assigned the identifier CAN-2002-0028 by
   the Common Vulnerabilities and Exposures (CVE) group:

II. Impact

   An  attacker  can  execute  arbitrary  code with the privileges of the
   victim user.

III. Solution

   All  users  should  upgrade  to  version 2001B Beta v5.18 Build #3659.
   There is currently no patch available for the ICQ plug-in for 2001B or
   versions  of  the  ICQ client prior to 2001B. Version 2001B Beta v5.18
   Build  #3659's  installer  will  delete  the  vulnerable  plug-in.  In
   addition,  for  users  who log in to the server with versions of 2001B
   prior to Beta v5.18 Build #3659, access to the vulnerable plug-in will
   be  disabled.  Users  with  versions  prior  to  2001B must upgrade to
   mitigate this vulnerability.

Block ICQ/SMS requests at the firewall

   Blocking  connections  to and access to ports 4000/UDP,
   5190/TCP  and  the  TCP port that your client chooses to listen on may
   prevent  exploitation  of this vulnerability. Note that the client may
   establish  a  new  listening  port each time it is run. Note also that
   this  does  not  protect you from attacks within the perimeter of your

Block untrusted messages

   ICQ  permits  the  user to deny direct connections from anyone without
   authorization  or  accept direct connections from known peers only. We
   recommend    denying    direct   connections   from   anyone   without
   authorization.  By  accepting direct connections from known peers, you
   may  still be vulnerable to attacks that originate from known peers if
   the peer has been compromised.

Appendix A. - Vendor Information

   This  appendix  contains  information  provided  by  vendors  for this
   advisory.  When  vendors  report  new  information  to the CERT/CC, we
   update this section and note the changes in our revision history. If a
   particular  vendor  is  not  listed  below, we have not received their

   AOL Time Warner


   The CERT Coordination Center thanks Daniel Tan and AOL Time Warner for
   their assistance in discovering and analyzing this vulnerability.

   Author: Jason A. Rafail

Appendix B. - References


   This document is available from:

CERT/CC Contact Information

          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more

Getting security information

   CERT  publications  and  other security information are available from
   our web site

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to Please include in the body of your

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.

   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2002 Carnegie Mellon University.

   Revision History
   January 24, 2002:  Initial release

Version: PGP 6.5.8


Previous message sorted by date: CERT Advisory CA-2002-01 Exploitation of Vulnerability in CDE Subprocess
Next message sorted by date: CERT Advisory CA-2002-03 Multiple Vulnerabilities in Many Implementations
Previous message sorted by thread: CERT Advisory CA-2002-01 Exploitation of Vulnerability in CDE Subprocess
Next message by thread: CERT Advisory CA-2002-03 Multiple Vulnerabilities in Many Implementations
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Feb 2002