Vulnerability Note VU#400780

AOL ICQ Pro fails to properly handle incoming message lengths

Overview

A buffer overflow vulnerability in ICQ may allow a remote attacker to execute arbitrary code or create a denial-of-service condition.

I. Description

ICQ is a instant messaging application that is maintained by AOL.

A buffer overflow vulnerability in ICQ Pro 2003b may allow a remote, unauthenticated attacker to execute arbitrary code or create a denial-of-service condition. By sending a specially crafted message to a vulnerable ICQ client, an attacker can trigger the overflow.

This vulnerability may also be exploited by convincing a user to connect to a malicious server.

II. Impact

A remote, unauthenticated attacker can execute arbitrary code with the privileges of the user who is running ICQ or create a denial-of-service condition.

III. Solution

Upgrade

AOL has addressed this issue in version 5.1 of the ICQ client.

Limit privileges

Running the ICQ client with reduced privileges may help mitigate the effects of this vulnerability. Users with administrator access can run ICQ with reduced privileges by following the instructions in Microsoft knowledgebase article 294676.

Systems Affected

Vendor	Status	Date Notified	Date Updated
America Online, Inc.	Vulnerable	11-Sep-2006

References

http://isc.sans.org/diary.php?n&storyid=1680
http://secunia.com/advisories/21834/
http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=1510

Credit

Thanks to CoreLabs for reporting this issue.

This document was written by Ryan Giobbi.

Other Information

Date Public:	2006-09-07
Date First Published:	2006-09-11
Date Last Updated:	2006-09-11
CERT Advisory:
CVE-ID(s):
NVD-ID(s):
US-CERT Technical Alerts:
Metric:	9.41
Document Revision:	46

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Produced 2006 by US-CERT, a government organization
Disclaimers and copyright information

Get Adobe Reader