WARNING: Another ICQ IP address vulnerability

[mnemonix () GLOBALNET CO UK (Mnemonix)]

There is a problem in Mirabilis' ICQ (ICQ 98beta) on Windows NT 4.0 where internal IP address information is given out 
in the TCP payload thus giving
other ICQ users possibly sensitive information.

Here is an example:

HOST A is running Windows NT 4.0. It has an Ethernet NIC with IP address 10.20.20.60 and also has a modem.
The user at HOST A dials his ISP and  a dynamic IP address is assigned to the modem : 195.195.195.195.

The user at HOST A strikes up an ICQ conversation with the user at HOST B running Windows 98. HOST B
has a NIC with an IP address of 10.50.50.90 and a modem that has the IP address 198.198.198.198.

A TCP virtual circuit has been set up between 195.195.195.195 and 198.198.198.198 over which the
converstation takes place.

An ICQ created packet will put the IP address of the sending machine at the end of the TCP data - twice.
In Windows 98 this is that of the IP address of the modem (198198198198198198198198)

In Windows NT however, the TCP data will contain the IP address assigned to the modem followed by the IP address
of the Network Interface Card.

What's more, if the NT box has a direct connection to the Internet via a firewall performing Network Address 
Translation,
instead of via a dialup, this problem still occurs and it is possible using a network sniffer to get the IP address and 
therefore a good indication of the network addressing scheme used on the internal side.

L8r,
David Litchfield