The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[rootshell] Security Bulletin #22


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: 14 Aug 1998 05:48:06 -0000
From: [email protected]
Subject: [rootshell] Security Bulletin #22
Cc: recipient list not shown: ;


www.rootshell.com
Security Bulletin #22
August 13th, 1998

[ http://www.rootshell.com/ ]

----------------------------------------------------------------------

To unsubscribe from this mailing list send e-mail to [email protected]
with "unsubscribe announce" in the BODY of the message.

Send submissions to [email protected].  Messages sent will not be sent to
other members on this list unless it is featured in a security bulletin.

An archive of this list is available at :
http://www.rootshell.com/mailinglist-archive

----------------------------------------------------------------------

01. ICQ Password Verification Bug
---------------------------------

It appears that ICQ has yet another bug.  This was just sent in from one of
our users.  This bug has been confirmed by Rootshell.

>From [email protected] Thu Aug 13 22:34:42 1998
Date: Thu, 13 Aug 1998 23:25:49 -0300
From: zack <[email protected]>
To: [email protected]
Subject: Major ICQ security hole.

Greetings...

I code a linux ICQ clone, and after one of my users mistyped his
password, and was allowed into his account anyway.  After further
investivating, this is what I found.

* It is possible to log in to the ICQ servers as ANYONE without having
to know their password.  This leads to all sorts of comprimises.  This
is *not* simply spoofing

How it works:

The mirabilis server uses a password of 8 chars.  Their clients do the
range checking and only send in passwords of 8 or less chars.  The Linux
clones, mine in particular, don't do this.

* When a password of 9 or more characters is sent, their buffer is
over-run, and it allows you to log in.


The exploit:

Download any ICQ clone (example: http://hookah.ml.org/zicq)

Set the UIN to be the targets UIN
Set the password to "123456789" <-- Just large enough to overflow

Start the ICQ program.  If all goes well, it will log in and connect, as
that user.  Any waiting (offline) messages will be delivered to you. 
You can now send _and_ recieve messages and URLS as the client allows.

Notes:

This is NOT spoofing, you are actually logged in as the selected UIN.
Unlike spoofing you can recieve messages as well.

All UINS will work, as long as someone is not already logged in with
that UIN.

Mirabilis / AOL really needs to fix this problem.

Zack

----------------------------------------------------------------------

To unsubscribe from this mailing list send e-mail to [email protected]
with "unsubscribe announce" in the BODY of the message.

Send submissions to [email protected].  Messages sent will not be sent to
other members on this list unless it is featured in a security bulletin.

An archive of this list is available at :
http://www.rootshell.com/mailinglist-archive

----------------------------------------------------------------------

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру