There is a problem in Mirabilis' ICQ (ICQ 98beta) on Windows NT 4.0 where internal IP address information is given out in the TCP payload thus giving other ICQ users possibly sensitive information. Here is an example: HOST A is running Windows NT 4.0. It has an Ethernet NIC with IP address 10.20.20.60 and also has a modem. The user at HOST A dials his ISP and a dynamic IP address is assigned to the modem : 195.195.195.195. The user at HOST A strikes up an ICQ conversation with the user at HOST B running Windows 98. HOST B has a NIC with an IP address of 10.50.50.90 and a modem that has the IP address 198.198.198.198. A TCP virtual circuit has been set up between 195.195.195.195 and 198.198.198.198 over which the converstation takes place. An ICQ created packet will put the IP address of the sending machine at the end of the TCP data - twice. In Windows 98 this is that of the IP address of the modem (198198198198198198198198) In Windows NT however, the TCP data will contain the IP address assigned to the modem followed by the IP address of the Network Interface Card. What's more, if the NT box has a direct connection to the Internet via a firewall performing Network Address Translation, instead of via a dialup, this problem still occurs and it is possible using a network sniffer to get the IP address and therefore a good indication of the network addressing scheme used on the internal side. L8r, David Litchfield
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:22:57 PDT