AOL ICQ ActiveX DownloadAgent vulnerability

Added: 12/15/2006
CVE: CVE-2006-5650
BID: 20930
OSVDB: 30220

Background

America Online (AOL) ICQ is a widely used program for communicating with other users on the Internet.

Problem

The ICQPhone.SipxPhoneManager ActiveX control, which is installed with ICQ, includes a function called DownloadAgent which downloads a file from a specified URL and executes it. This allows attackers to execute arbitrary commands by messaging an ICQ user.

Resolution

AOL issued an update on October 31, 2006 which fixes the vulnerability. The update is automatically applied when a user connects to the ICQ service.

References

http://archives.neohapsis.com/archives/fulldisclosure/2006-11/0087.html

Limitations

Exploit works on AOL ICQ 5.1 and requires a user to click on a link to the exploit.

Platforms

Windows

Back to exploit index