[23753] in bugtraq
Re: ICQ remote buffer overflow vulnerability
daemon@ATHENA.MIT.EDU (Daniel Tan)
Tue Jan 8 15:34:26 2002
Message-ID: <3C3A3217.E646B2B2@seas.upenn.edu>
Date: Mon, 07 Jan 2002 18:41:11 -0500
From: Daniel Tan <datan@seas.upenn.edu>
MIME-Version: 1.0
To: elijah wright <elw@stderr.org>
Cc: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
my apologies...
After making the discovery that the overflow occurs even with DC with
the remote client, I have to deduce that parsing of the TLV packet
is NOT at fault in this case.
Reason: TLV packets are those that go through the servers. But DC
connections do not use them. I believe it is in the creation of
the message event that the buffer overflow occurs.
An important difference with the AIM overflow is that the user has
to doubleclick on the contact to receive the event for the overflow
to occur. But I believe this is still a risk since most people
would double click on their events anyway.
elijah wright wrote:
>
> > This is very similar to the AIM overflow recently discovered.
> > ICQ protocol uses the same TLV (2711) packet and there is a similar
> > weakness in the parsing of the packet.
>
> duh, that's because its essentially the same protocol. :)
>
> ICQ clients should probably be viewed with the same suspicion as the
> vulnerable AIM clients.
>
> elijah
