[7668] in bugtraq
[rootshell] Security Bulletin #22
daemon@ATHENA.MIT.EDU (DeadSock)
Fri Aug 14 11:34:01 1998
Date: Fri, 14 Aug 1998 17:36:41 +0700
Reply-To: DeadSock <deadsock@USA.NET>
From: DeadSock <deadsock@USA.NET>
To: BUGTRAQ@NETSPACE.ORG
just got this news from rootshell, i havent seen it on bugtraq, so i
forward it... btw this one is serious...
--- Forwarded Message ---
>Delivered-To: announce-outgoing@newsletter.connectnet.com
>Date: 14 Aug 1998 05:48:06 -0000
>Cc: recipient list not shown: ;
>From: announce-outgoing@rootshell.com
>X-Mailer: Rootshell 1.0
>Subject: [rootshell] Security Bulletin #22
>
>
>www.rootshell.com
>Security Bulletin #22
>August 13th, 1998
>
>[ http://www.rootshell.com/ ]
>
>----------------------------------------------------------------------
>
>To unsubscribe from this mailing list send e-mail to majordomo@rootshell.com
>with "unsubscribe announce" in the BODY of the message.
>
>Send submissions to info@rootshell.com. Messages sent will not be sent to
>other members on this list unless it is featured in a security bulletin.
>
>An archive of this list is available at :
>http://www.rootshell.com/mailinglist-archive
>
>----------------------------------------------------------------------
>
>01. ICQ Password Verification Bug
>---------------------------------
>
>It appears that ICQ has yet another bug. This was just sent in from one of
>our users. This bug has been confirmed by Rootshell.
>
>>From zallison@rice.edu Thu Aug 13 22:34:42 1998
>Date: Thu, 13 Aug 1998 23:25:49 -0300
>From: zack <zallison@rice.edu>
>To: kit@rootshell.com
>Subject: Major ICQ security hole.
>
>Greetings...
>
>I code a linux ICQ clone, and after one of my users mistyped his
>password, and was allowed into his account anyway. After further
>investivating, this is what I found.
>
>* It is possible to log in to the ICQ servers as ANYONE without having
>to know their password. This leads to all sorts of comprimises. This
>is *not* simply spoofing
>
>How it works:
>
>The mirabilis server uses a password of 8 chars. Their clients do the
>range checking and only send in passwords of 8 or less chars. The Linux
>clones, mine in particular, don't do this.
>
>* When a password of 9 or more characters is sent, their buffer is
>over-run, and it allows you to log in.
>
>
>The exploit:
>
>Download any ICQ clone (example: http://hookah.ml.org/zicq)
>
>Set the UIN to be the targets UIN
>Set the password to "123456789" <-- Just large enough to overflow
>
>Start the ICQ program. If all goes well, it will log in and connect, as
>that user. Any waiting (offline) messages will be delivered to you.
>You can now send _and_ recieve messages and URLS as the client allows.
>
>Notes:
>
>This is NOT spoofing, you are actually logged in as the selected UIN.
>Unlike spoofing you can recieve messages as well.
>
>All UINS will work, as long as someone is not already logged in with
>that UIN.
>
>Mirabilis / AOL really needs to fix this problem.
>
>Zack
>
>----------------------------------------------------------------------
>
>To unsubscribe from this mailing list send e-mail to majordomo@rootshell.com
>with "unsubscribe announce" in the BODY of the message.
>
>Send submissions to info@rootshell.com. Messages sent will not be sent to
>other members on this list unless it is featured in a security bulletin.
>
>An archive of this list is available at :
>http://www.rootshell.com/mailinglist-archive
>
>----------------------------------------------------------------------
>
>
--- End of Forwarded Message ---
DeadSock <deadsock@usa.net>
http://members.xoom.com/deadsock/
Key ID 0xD8940389
Fingerprint 74C4 E0AE BBFE 0601 E13F 2ADC 5085 5B48 D894 0389
