[10031] in bugtraq
icq DOS / possible "stupid user" vulnerability.
daemon@ATHENA.MIT.EDU (Ronald A. Jarrell)
Mon Mar 29 15:41:46 1999
Date: Mon, 29 Mar 1999 01:07:18 -0500
Reply-To: "Ronald A. Jarrell" <jarrell@VTSERF.CC.VT.EDU>
From: "Ronald A. Jarrell" <jarrell@VTSERF.CC.VT.EDU>
To: BUGTRAQ@NETSPACE.ORG
Ok, I was a bit surprised when, in playing with the new ICQ99a build 1700 v2.13
client (which I believe is the first publicly distributed one of the
99 family), I turned on the "Activate my home page" feature, and turned
my laptop into a web server...
Complete with a file server that allows by default anything in the
"program files\icq\homepage\root\YOUR#\files" folder to be requested.
Even set up a guest book, chat service, etc...
After getting over being astonished (yea, they said "turning this on
might increase people's access to your machine, and tell them your
ip address" - of course it will. You're setting up a bloody web server
you idiots. A bad one at that.) I naturally started doing some poking.
Telnet to your port 80, and enter some non http gibberish. I tried
"quit<cr>" for grins. Blam. Down goes the ICQ client with a GPF.
Got someone else to turn theirs on, and sure enough, managed to shoot
him down too.
I warned Mirabilis about it. Folks at institutions that worry about
such things, but let their employees run ICQ might want to be aware
that said employees might well be running web servers now and not
evening know it. On you ICQ contact list, if they're on it, said
users show up with a little house next to their name.
--
Ron Jarrell
VA Tech Computing Center
