Bugtraq mailing list archives
Re: Vulnerabilities in ICQ
From: solar () FALSE COM (Solar Designer)
Date: Tue, 16 Dec 1997 20:20:41 -0300
Hello,
The Client-To-Client Protocol used by ICQ is even worse. It does no authentication of any kind and places all trust in the client. Spoofing messages from arbitrary ICQ users is easy, as is sending file and chat requests. Even worse, if the client gets anything it doesn't expect it crashes(!) sometimes taking Windows with it.
Spoofing chat requests? Crashes? 00422D4D lea ecx, [ebp-118h] 00422D53 push dword ptr [esi+18h] 00422D56 push offset aTheFollowingRe 00422D5B push ecx 00422D5C call ds:sprintf ... 004B58F8 aTheFollowingRe db 0Dh,0Ah ; DATA XREF: _text:00422D56o 004B58F8 db 'The following reason for a chat request was given: ',0Dh,0Ah 004B58F8 db ' %s',0Dh,0Ah,0 Unless there's bound checking done before we get here, this overflow is exploitable -- the buffer is on the stack. I'm too lazy to boot Windows to check now. Anyway, there're 100+ references to sprintf() and strcpy() in ICQ, at least some of these have to be exploitable. IDA (the disassembler) is even able to detect standard MSVC functions, so you get symbolic names for them right after the disassembly, and can open a window with the cross references list. Signed, Solar Designer
Current thread:
- To kill a sun: Jason Zapman II (Dec 13)
- SunOS4.1.4 another tmpfs bug YAMAMORI Takenori (Dec 12)
- Re: To kill a sun: David LeBlanc (Dec 13)
- Re: To kill a sun: James Lockwood (Dec 14)
- Vulnerabilities in ICQ Alan Cox (Dec 14)
- Re: Vulnerabilities in ICQ Seth McGann (Dec 14)
- Re: Vulnerabilities in ICQ Solar Designer (Dec 16)
- Re: Vulnerabilities in ICQ Arik Vardi (Dec 15)
- Re: Vulnerabilities in ICQ Seth McGann (Dec 14)
- Sun killer - NT port Aleph One (Dec 14)
- Re: To kill a sun: Craig Johnston (Dec 14)
- <Possible follow-ups>
- Re: To kill a sun: Robert Sink (Dec 14)
- Re: To kill a sun: Darren Reed (Dec 14)
- Re: To kill a sun: Paul Nash (Dec 15)