home *** CD-ROM | disk | FTP | other *** search
- [ http://www.rootshell.com/ ]
-
- From zallison@rice.edu Thu Aug 13 22:34:42 1998
- Date: Thu, 13 Aug 1998 23:25:49 -0300
- From: zack <zallison@rice.edu>
- To: kit@rootshell.com
- Subject: Major ICQ security hole.
-
- Greetings...
-
- I code a linux ICQ clone, and after one of my users mistyped his
- password, and was allowed into his account anyway. After further
- investivating, this is what I found.
-
- * It is possible to log in to the ICQ servers as ANYONE without having
- to know their password. This leads to all sorts of comprimises. This
- is *not* simply spoofing
-
- How it works:
-
- The mirabilis server uses a password of 8 chars. Their clients do the
- range checking and only send in passwords of 8 or less chars. The Linux
- clones, mine in particular, don't do this.
-
- * When a password of 9 or more characters is sent, their buffer is
- over-run, and it allows you to log in.
-
-
- The exploit:
-
- Download any ICQ clone (example: http://hookah.ml.org/zicq)
-
- Set the UIN to be the targets UIN
- Set the password to "123456789" <-- Just large enough to overflow
-
- Start the ICQ program. If all goes well, it will log in and connect, as
- that user. Any waiting (offline) messages will be delivered to you.
- You can now send _and_ recieve messages and URLS as the client allows.
-
- Notes:
-
- This is NOT spoofing, you are actually logged in as the selected UIN.
- Unlike spoofing you can recieve messages as well.
-
- All UINS will work, as long as someone is not already logged in with
- that UIN.
-
- Mirabilis / AOL really needs to fix this problem.
-
- Zack
-
-
