Mirabilis ICQ Pro Vulnerabilities: POP3 Format String, Overflows, and RCE (CAN-2003-0235 to 0240)

Key Information Summary Vulnerability Overview Vulnerability ID: CORE-2003-0303 Affected Products: Mirabilis ICQ Pro 2003a client and earlier versions Release Date: 2003-05-05 Last Updated: 2003-05-02 Vulnerability Details Description: The Mirabilis ICQ client contains multiple security vulnerabilities that may enable both remote and local exploitation: Remotely Exploitable: Yes Locally Exploitable: Yes Vulnerability List 1. POP3 Client UIDL Field Format String Attack - CVE: CAN-2003-0235 - Impact: May lead to remote execution of arbitrary commands - Description: Format string vulnerability in the POP3 client when processing UIDL command responses 2. POP3 Client "Subject" Field Signed Overflow - CVE: CAN-2003-0236 - Impact: May lead to remote execution of arbitrary commands - Description: 16-bit signed overflow vulnerability in the POP3 client when processing the email header "Subject" field 3. POP3 Client "Date" Field Signed Overflow - CVE: CAN-2003-0237 - Impact: May lead to remote execution of arbitrary commands - Description: 16-bit signed overflow vulnerability in the POP3 client when processing the email header "Date" field 4. ICQ On-Demand Service Spoofing Attack - CVE: CAN-2003-0238 - Impact: May lead to malware installation and arbitrary command execution - Description: Security flaw in the client's service update mechanism due to hardcoded information and lack of authentication 5. Message Advertisement Denial of Service Attack - CVE: CAN-2003-0239 - Impact: Message window freeze and CPU usage reaching 100% - Description: Sending malformed HTML advertisements causes client crash 6. ICQ GIF Parser Input Validation Error - CVE: CAN-2003-0240 - Impact: Denial of service - Description: Logical error when processing GIF89a image headers leads to parsing failure Disclosure and Acknowledgments Discoverers: Lucas Lavarello, Daniel Benmergui, Norberto Kueffner, Fernando Russ Disclosure Project: Bugweek 2003 (March 3–7, 2003) Vendor Contact: Mirabilis was notified multiple times but did not respond Additional Information Vulnerability URL: http://www.coresecurity.com/common/showdoc.php?idx=315&idxseccion=10 Disclosure Mode: User-submitted

Goal Reached Thanks to every supporter — we hit 100%!

Mirabilis ICQ Pro Vulnerabilities: POP3 Format String, Overflows, and RCE (CAN-2003-0235 to 0240)