Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

   


   


   

















      :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: iDefense Security Advisory 04.09.07: AOL AIM and ICQ File Transfer Path-Traversal Vulnerability



> -----Original Message-----
> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx 
> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf 
> Of iDefense Labs
> Sent: Tuesday, April 10, 2007 1:33 AM
> To: vulnwatch@xxxxxxxxxxxxx; 
> full-disclosure@xxxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx
> Subject: [Full-disclosure] iDefense Security Advisory 
> 04.09.07: AOL AIM and ICQ File Transfer Path-Traversal Vulnerability
> 
> AOL AIM and ICQ File Transfer Path-Traversal Vulnerability
> 
> iDefense Security Advisory 04.09.07
> http://labs.idefense.com/intelligence/vulnerabilities/
> Apr 09, 2007
> 
> I. BACKGROUND
> 
> AOL Instant Messenger and ICQ are instant messaging applications that
> allow users to exchange messages and files. More information can be
> found on the vendor's site at the following URLs.
> 
> http://www.aim.com/ or http://www.icq.com/
> 
> II. DESCRIPTION
> 
> Remote exploitation of a path-traversal vulnerability in AOL's AIM and
> ICQ could allow a remote attacker to place arbitrary files on the
> victim's machine during a file transfer operation.
> 
> AIM and ICQ allow users to share and transfer files via a custom
> protocol. During file transfers, the sender is allowed to specify the
> display name of the file, and the filename used for the transfer.
> 
> The recipient can only specify the folder in which to save 
> the file. Due
> to an input validation flaw, the clients do not properly strip "../"
> traversal characters from the filename the attacker supplies. By
> specially encoding the path attackers can force the file to 
> be saved to
> a directory of their choosing when the victim accepts the 
> file transfer.
> 
> III. ANALYSIS
> 
> Exploitation of this vulnerability allows attackers to place 
> arbitrarily
> named files in a directory of their choice when the victim accepts a
> file transfer.
> 
> By default ICQ warns users that file transfers are unsafe and to only
> accept file transfers from trusted users. ICQ also requires 
> that a user
> is on your contact list in order to accept a file transfer. Users must
> manually accept the file transfer in order to be exploited.
> 
> During the file download, the traversal path is displayed in the
> filename portion of the dialog. ICQ will not overwrite existing files
> without prompting the user for confirmation. It is important to note
> that the attacker specifies the display name used in the file accept
> dialog. This file name is arbitrary and need not be the same as the
> actual file being transferred.
> 
> IV. DETECTION
> 
> iDefense has confirmed this vulnerability in ICQ version 5.1. Previous
> versions are suspected vulnerable.
> 
> Additionally, AOL reported that AIM version 5.9 and prior are
> vulnerable.
> 
> V. WORKAROUND
> 
> iDefense is currently unaware of any effective workaround for this
> issue.
> 
> VI. VENDOR RESPONSE
> 
> AOL has provided the following solutions to address this 
> vulnerability.
> 
> "1. Active ICQ clients have already been patched via an automatic
> update.
> 
> 2. Users of the AIM client 5.9 and earlier are urged to upgrade to the
> latest version of the AIM client from http://www.aim.com/.
> 
> 3. In addition, AIM 5.9 users are also protected by a fix 
> that has been
> applied to the AIM infrastructure."
> 
> VII. CVE INFORMATION
> 
> A Mitre Corp. Common Vulnerabilities and Exposures (CVE) 
> number has not
> been assigned yet.
> 
> VIII. DISCLOSURE TIMELINE
> 
> 02/01/2007  Initial vendor notification
> 02/01/2007  Initial vendor response
> 04/09/2007  Coordinated public disclosure
> 
> IX. CREDIT
> 
> The discoverer of this vulnerability wishes to remain anonymous.
> 
> Get paid for vulnerability research
> http://labs.idefense.com/methodology/vulnerability/vcp.php
> 
> Free tools, research and upcoming events
> http://labs.idefense.com/
> 
> X. LEGAL NOTICES
> 
> Copyright (c) 2007 iDefense, Inc.
> 
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDefense. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically,
> please e-mail customerservice@xxxxxxxxxxxx for permission.
> 
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available 
> information. Use
> of the information constitutes acceptance for use in an AS IS 
> condition.
>  There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct,
> indirect, or consequential loss or damage arising from use of, or
> reliance on, this information.
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 



 




Copyright © Lexa Software, 1996-2009.