[13386] in bugtraq
Re: ICQ Buffer Overflow Exploit
daemon@ATHENA.MIT.EDU (Thomas Maschutznig)
Mon Jan 17 17:47:50 2000
Mime-Version: 1.0
Content-Type: text/plain
Message-Id: <4.2.2.20000115173113.00a2da00@pop.gmx.net>
Date: Sat, 15 Jan 2000 17:44:09 +0100
Reply-To: Thomas Maschutznig <hnt@GMX.AT>
From: Thomas Maschutznig <hnt@GMX.AT>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Can (more or less) verify that overflow...
I am running ICQ 99beta 3.1.9 build #2596 and tried to send some MESSAGES
(no, NOT URL)
It seemed that only the messagebox would let you send larger stuff
Couldnt paste a lot into the URL-box
So, with messages...
entered http://www.alotofstuffhere......
I clicked it myself (yep, while entering) and Netscape opened up and ICQ
said byebyes :)
Could reproduce that 4 times in 4 tries
Now, with sending it to other people...
Somehow you cant send normal messages with more than 450 characters or whatever
but if you start with http://www... ICQ doesnt seem to check it and
messages with 2000 characters were no problem.
Gonna try _sending_ messages (and recieve) later when someone appears to be
online on my list :P
Peace out,
T
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>
iQA/AwUBOICVyrCVPCJvWxfLEQLGegCg+4c++1bQIDzeqTHw+X+7v1sUoLQAmwZ0
1ImsKN/HsO+Fe1rteybF+aXZ
=+pSv
-----END PGP SIGNATURE-----
