Bugtraq mailing list archives
[rootshell] Security Bulletin #22
From: deadsock () USA NET (DeadSock)
Date: Fri, 14 Aug 1998 17:36:41 +0700
just got this news from rootshell, i havent seen it on bugtraq, so i forward it... btw this one is serious... --- Forwarded Message ---
Delivered-To: announce-outgoing () newsletter connectnet com Date: 14 Aug 1998 05:48:06 -0000 Cc: recipient list not shown: ; From: announce-outgoing () rootshell com X-Mailer: Rootshell 1.0 Subject: [rootshell] Security Bulletin #22 www.rootshell.com Security Bulletin #22 August 13th, 1998 [ http://www.rootshell.com/ ] ---------------------------------------------------------------------- To unsubscribe from this mailing list send e-mail to majordomo () rootshell com with "unsubscribe announce" in the BODY of the message. Send submissions to info () rootshell com. Messages sent will not be sent to other members on this list unless it is featured in a security bulletin. An archive of this list is available at : http://www.rootshell.com/mailinglist-archive ---------------------------------------------------------------------- 01. ICQ Password Verification Bug --------------------------------- It appears that ICQ has yet another bug. This was just sent in from one of our users. This bug has been confirmed by Rootshell.From zallison () rice edu Thu Aug 13 22:34:42 1998Date: Thu, 13 Aug 1998 23:25:49 -0300 From: zack <zallison () rice edu> To: kit () rootshell com Subject: Major ICQ security hole. Greetings... I code a linux ICQ clone, and after one of my users mistyped his password, and was allowed into his account anyway. After further investivating, this is what I found. * It is possible to log in to the ICQ servers as ANYONE without having to know their password. This leads to all sorts of comprimises. This is *not* simply spoofing How it works: The mirabilis server uses a password of 8 chars. Their clients do the range checking and only send in passwords of 8 or less chars. The Linux clones, mine in particular, don't do this. * When a password of 9 or more characters is sent, their buffer is over-run, and it allows you to log in. The exploit: Download any ICQ clone (example: http://hookah.ml.org/zicq) Set the UIN to be the targets UIN Set the password to "123456789" <-- Just large enough to overflow Start the ICQ program. If all goes well, it will log in and connect, as that user. Any waiting (offline) messages will be delivered to you. You can now send _and_ recieve messages and URLS as the client allows. Notes: This is NOT spoofing, you are actually logged in as the selected UIN. Unlike spoofing you can recieve messages as well. All UINS will work, as long as someone is not already logged in with that UIN. Mirabilis / AOL really needs to fix this problem. Zack ---------------------------------------------------------------------- To unsubscribe from this mailing list send e-mail to majordomo () rootshell com with "unsubscribe announce" in the BODY of the message. Send submissions to info () rootshell com. Messages sent will not be sent to other members on this list unless it is featured in a security bulletin. An archive of this list is available at : http://www.rootshell.com/mailinglist-archive ----------------------------------------------------------------------
--- End of Forwarded Message --- DeadSock <deadsock () usa net> http://members.xoom.com/deadsock/ Key ID 0xD8940389 Fingerprint 74C4 E0AE BBFE 0601 E13F 2ADC 5085 5B48 D894 0389
Current thread:
- Re: Eudora executes (Java) URL, (continued)
- Re: Eudora executes (Java) URL Alec Kosky (Aug 11)
- Re: Eudora executes (Java) URL John D. Hardin (Aug 11)
- Cisco IOS software security notice security-alert () cisco com (Aug 12)
- Re: Eudora executes (Java) URL High Tide (Aug 12)
- Re: RotoRouter 1.0 - Traceroute log & fake Julian Assange (Aug 11)
- DoS in Flowpoint 2000 DSL routers Jason Ackley (Aug 11)
- Re: DoS in Flowpoint 2000 DSL routers Tom (Aug 11)
- Re: DoS in Flowpoint 2000 DSL routers Jason Ackley (Aug 12)
- Linux 2.1.115 oops (demo and fix) Duncan Simpson (Aug 13)
- Re: Linux 2.1.115 oops (demo and fix) Chris Wedgwood (Aug 13)
- [rootshell] Security Bulletin #22 DeadSock (Aug 14)
- Linux 2.1.115 devpts bug improved fix Duncan Simpson (Aug 13)
- Re: Eudora executes (Java) URL Alec Kosky (Aug 11)