Re: ICQ Buffer Overflow Exploit

[michael () DESIMONE NET (Michael DeSimone)]

I was sort of able to duplicate the buffer over flow. The following is the
steps I took and the results:

Copy the original URL from the original notice (sites.yahoo etc...) to
include the binary exclamation marks et. all.

Downloaded complied assembly code for a little cube generator and open in
UE32.

Paste in the URL etc.

Copy all of it and paste it into the URL section of ICQ's send a web
address.

Con my wife into opening the URL.

Listen to her bitch at me for crashing her computer.

Doing this did not execute the binary code that was placed at the end of the
URL but did cause an unwanted, adverse reaction from the OS Win 98 Release1.
That resulted in a reboot.

I have not had a chance to witness 1st hand what happened on her box but
from her description I believe it at least crashed the TCP/IP stack
(surprise) and some memory issues as well.

I will have a chance to further investigate tonight and will follow up.

Michael DeSimone
Computer Stuff

----- Original Message -----
From: Dennis W. Mattison (Little Wolf) <mattison () WEBOVISION COM>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Wednesday, January 12, 2000 11:09 PM
Subject: Re: ICQ Buffer Overflow Exploit

Two things:

1. I am not able to verify this vulnerability under Windows98, running ICQ
99b Beta 3.19 Build 2569.  I tried sending excessively long URL's using
the URL message send (I could not find a way of sending a URL during chat,
other than typing it in the window, you might send out the instructions on
how to do this) and was unable to buffer overflow the program.  I'll keep
trying, there might be something I am not doing right...

2. I do not agree with your fix, however.  There is a much simpler fix
available, go into the Preferences window, select the Events tab, select
the URL setting on the "Select Event to Configure" combobox and then
select "Auto Decline."  This appears to shut down the http event.  I've
tried sending URL messages back and forth between two machines and was
unable to receive them.  I've turned all events off in ICQ, it is much
easier to tell someone I am chatting with to look at a particular URL
without using the URL message capability.

-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of drew
copley
Sent: Tuesday, January 11, 2000 10:31 AM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: ICQ Buffer Overflow Exploit

Buffer Overflow in ICQ
--Stuff Deleted--

---
Dennis W. Mattison (Little Wolf)
(This message should be signed, please verify signature if you suspect
fraud.)