[10048] in bugtraq
Re: icq DOS / possible "stupid user" vulnerability.
daemon@ATHENA.MIT.EDU (fvw)
Tue Mar 30 23:27:46 1999
Date: Mon, 29 Mar 1999 19:47:19 +0200
Reply-To: fvw <fvw@CHELLO.NL>
From: fvw <fvw@CHELLO.NL>
To: BUGTRAQ@NETSPACE.ORG
Even doing a http "GET ......." (with a lot more periods) will crash the
icq 'webserver'.
Mind you, ICQ has always had a high "DOSability factor".
On Mon, 29 Mar 1999, Ronald A. Jarrell wrote:
> Ok, I was a bit surprised when, in playing with the new ICQ99a build 1700 v2.13
> client (which I believe is the first publicly distributed one of the
> 99 family), I turned on the "Activate my home page" feature, and turned
> my laptop into a web server...
>
> Complete with a file server that allows by default anything in the
> "program files\icq\homepage\root\YOUR#\files" folder to be requested.
> Even set up a guest book, chat service, etc...
>
> After getting over being astonished (yea, they said "turning this on
> might increase people's access to your machine, and tell them your
> ip address" - of course it will. You're setting up a bloody web server
> you idiots. A bad one at that.) I naturally started doing some poking.
>
> Telnet to your port 80, and enter some non http gibberish. I tried
> "quit<cr>" for grins. Blam. Down goes the ICQ client with a GPF.
> Got someone else to turn theirs on, and sure enough, managed to shoot
> him down too.
>
> I warned Mirabilis about it. Folks at institutions that worry about
> such things, but let their employees run ICQ might want to be aware
> that said employees might well be running web servers now and not
> evening know it. On you ICQ contact list, if they're on it, said
> users show up with a little house next to their name.
>
> --
> Ron Jarrell
> VA Tech Computing Center
--
Frank v Waveren
fvw@chello.nl
ICQ# 10074100
