PGP SIGNED MESSAGE-----
CA-2002-02 Buffer Overflow in AOL ICQ
release date: January 24, 2002
Last revised: --
revision history can be found at the end of this file.
Mirabilis ICQ Versions 2001A and prior
* Voice Video & Games plugin installed with AOL Mirabilis ICQ
Versions 2001B Beta v5.18 Build #3659 and prior
is a remotely exploitable buffer overflow in ICQ. Attackers that
are able to exploit the vulnerability may be able to execute arbitrary
code with the privileges of the victim user. Full details are
discussed in VU#570167. An exploit is known to exist, but we do not
believe it has been distributed in the wild. We have not seen active
scanning for this vulnerability, nor have we received any reports of
this vulnerability being exploited.
a program for communicating with other users over the Internet.
ICQ is widely used (by over 122 million people according to ICQ Inc,
an AOL Time Warner owned subsidiary). A buffer overflow exists in the
ICQ client for Windows. The buffer overflow occurs during the
processing of a Voice Video & Games feature request message. This
message is supposed to be a request from another ICQ user inviting the
victim to participate interactively with a third-party application.
versions prior to 2001B, the buffer overflow occurs in code within the
ICQ client. In version 2001B the code containing the buffer overflow
was moved to an external plug-in.
all versions prior to the latest build of 2001B are
vulnerable. Upon connection to an AOL ICQ server, vulnerable builds
the 2001B client will be instructed by the server to disable the
vulnerable plug-in. Since versions of the ICQ client prior to 2001B
not have an external plug-in to disable, they are vulnerable even
after connecting to the server. AOL Time Warner is recommending all
users of vulnerable versions of ICQ upgrade to 2001B Beta v5.18 Build
normal operation, ICQ clients can exchange messages with one
another through the ICQ servers or via a direct connection. The buffer
overflow specifically occurs during the processing of the Voice Video
& Games request via a Type, Length, Value (TLV) tuple with type
from the ICQ server, or via a crafted direct connection request.
of the ICQ client open port 4000/UDP for client-server
communication. Other versions open port 5190/TCP for this
communication. As with the previously reported AIM vulnerability, AOL
has modified the ICQ server infrastructure to filter malicious
messages that attempt to exploit this vulnerability, preventing it
from being exploited through an AOL ICQ server. Exploiting the
vulnerability through other means (man-in-the-middle attacks,
third-party ICQ servers, DNS spoofing, network sniffing, etc.) may
still be possible. Also, since UDP packets can be broadcast on a
network, a malicious TLV packet with a spoofed source IP address may
be accepted as a legitimate server message.
client also listens on a variably assigned TCP port for direct
connection requests. A person who wishes to establish a direct
connection can query an ICQ server for the IP address and listening
port of the victim. Versions 2000A and prior accept direct connections
from anyone by default. Later versions of ICQ can be configured to
accept direct connections from anyone. Since ICQ requests can be sent
directly from one client to another, blocking requests through a
central server is not a completely effective solution. The effective
solution is to apply a patch, when available, that fixes the buffer
overflow, or upgrade to 2001B Beta v5.18 Build #3659 with the Voice
Video & Games feature disabled.
has been assigned the identifier CAN-2002-0028 by
the Common Vulnerabilities and Exposures (CVE) group:
can execute arbitrary code with the privileges of the
should upgrade to version 2001B Beta v5.18 Build #3659.
There is currently no patch available for the ICQ plug-in for 2001B
versions of the ICQ client prior to 2001B. Version 2001B Beta v5.18
Build #3659's installer will delete the vulnerable plug-in. In
addition, for users who log in to the server with versions of 2001B
prior to Beta v5.18 Build #3659, access to the vulnerable plug-in will
be disabled. Users with versions prior to 2001B must upgrade to
mitigate this vulnerability.
requests at the firewall
connections to login.icq.com and access to ports 4000/UDP,
5190/TCP and the TCP port that your client chooses to listen on may
prevent exploitation of this vulnerability. Note that the client may
establish a new listening port each time it is run. Note also that
this does not protect you from attacks within the perimeter of your
the user to deny direct connections from anyone without
authorization or accept direct connections from known peers only. We
recommend denying direct connections from anyone without
authorization. By accepting direct connections from known peers, you
may still be vulnerable to attacks that originate from known peers if
the peer has been compromised.
A. - Vendor Information
contains information provided by vendors for this
advisory. When vendors report new information to the CERT/CC, we
update this section and note the changes in our revision history. If
particular vendor is not listed below, we have not received their
Coordination Center thanks Daniel Tan and AOL Time Warner for
their assistance in discovering and analyzing this vulnerability.
Jason A. Rafail
B. - References
is available from:
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
prefer to use DES, please call the CERT hotline for more
and other security information are available from
our web site
to the CERT mailing list for advisories and bulletins,
send email to firstname.lastname@example.org. Please include in the body of your
and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
for use, disclaimers, and sponsorship information
2002 Carnegie Mellon University.
January 24, 2002: Initial release
Version: PGP 6.5.8
-----END PGP SIGNATURE-----