+-----------------------------------------------------------------------------+
|                   noptrix.net - Public Security Advisory                    |
+-----------------------------------------------------------------------------+


Date:
-----
07/28/2011

Vendor:
-------
ICQ - http://www.icq.com/

Affected Software:
------------------
Software: ICQ
Version: <= 7.5

Affected Platforms:
-------------------
Windows (XP, Vista, 7)

Vulnerability Class:
--------------------
Remote Denial of Service - MUIMessage.dll

Description:
------------
ICQ suffers from a remote Denial of Service vulnerability due to a lack of input
validation, output sanitization, wrong filetype and filename handling over file
transfers.

Proof of Concept:
-----------------
The following file and payload can be used to trigger the described
vulnerability (send to victim as file):

--- SNIP ---

sh3ll$ echo "0" > \<iframe src\=\"icq.com\"\ onload\=alert\('0x90'\)\>.rtf

--- SNIP ---

Now, an attacker only needs to send this file to the victim. It will crash the
ICQ client of the victim whenever the attacker cancels the filetransfer.
Afterwards whenever the victim is trying to send a message to the attacker, it
will crash after a few seconds...
So this could be a "Cross-Site Scripting leading to Denial of Service"? :)

For a PoC demonstration see:
    - http://www.youtube.com/watch?v=7I1JNUWLeec

Impact:
-------
An attacker could trivially crash ICQ clients of remote users without victim
interaction.

Threat Level:
-------------
Medium

Solution:
---------
ICQ has to validate input, sanitize output, handle file names and file types
properly.