just got this news from rootshell, i havent seen it on bugtraq, so i forward it... btw this one is serious... --- Forwarded Message --- >Delivered-To: announce-outgoingat_private >Date: 14 Aug 1998 05:48:06 -0000 >Cc: recipient list not shown: ; >From: announce-outgoingat_private >X-Mailer: Rootshell 1.0 >Subject: [rootshell] Security Bulletin #22 > > >www.rootshell.com >Security Bulletin #22 >August 13th, 1998 > >[ http://www.rootshell.com/ ] > >---------------------------------------------------------------------- > >To unsubscribe from this mailing list send e-mail to majordomoat_private >with "unsubscribe announce" in the BODY of the message. > >Send submissions to infoat_private Messages sent will not be sent to >other members on this list unless it is featured in a security bulletin. > >An archive of this list is available at : >http://www.rootshell.com/mailinglist-archive > >---------------------------------------------------------------------- > >01. ICQ Password Verification Bug >--------------------------------- > >It appears that ICQ has yet another bug. This was just sent in from one of >our users. This bug has been confirmed by Rootshell. > >>From zallisonat_private Thu Aug 13 22:34:42 1998 >Date: Thu, 13 Aug 1998 23:25:49 -0300 >From: zack <zallisonat_private> >To: kitat_private >Subject: Major ICQ security hole. > >Greetings... > >I code a linux ICQ clone, and after one of my users mistyped his >password, and was allowed into his account anyway. After further >investivating, this is what I found. > >* It is possible to log in to the ICQ servers as ANYONE without having >to know their password. This leads to all sorts of comprimises. This >is *not* simply spoofing > >How it works: > >The mirabilis server uses a password of 8 chars. Their clients do the >range checking and only send in passwords of 8 or less chars. The Linux >clones, mine in particular, don't do this. > >* When a password of 9 or more characters is sent, their buffer is >over-run, and it allows you to log in. > > >The exploit: > >Download any ICQ clone (example: http://hookah.ml.org/zicq) > >Set the UIN to be the targets UIN >Set the password to "123456789" <-- Just large enough to overflow > >Start the ICQ program. If all goes well, it will log in and connect, as >that user. Any waiting (offline) messages will be delivered to you. >You can now send _and_ recieve messages and URLS as the client allows. > >Notes: > >This is NOT spoofing, you are actually logged in as the selected UIN. >Unlike spoofing you can recieve messages as well. > >All UINS will work, as long as someone is not already logged in with >that UIN. > >Mirabilis / AOL really needs to fix this problem. > >Zack > >---------------------------------------------------------------------- > >To unsubscribe from this mailing list send e-mail to majordomoat_private >with "unsubscribe announce" in the BODY of the message. > >Send submissions to infoat_private Messages sent will not be sent to >other members on this list unless it is featured in a security bulletin. > >An archive of this list is available at : >http://www.rootshell.com/mailinglist-archive > >---------------------------------------------------------------------- > > --- End of Forwarded Message --- DeadSock <deadsockat_private> http://members.xoom.com/deadsock/ Key ID 0xD8940389 Fingerprint 74C4 E0AE BBFE 0601 E13F 2ADC 5085 5B48 D894 0389
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:12:39 PDT