Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ICQ Spoofing Question (or second dumb question of the day)

From: Robert van der Meulen <rvdm () CISTRON NL>
Date: Wed, 20 Sep 2000 10:58:07 +0200
Hi,

Quoting Sander Smeenk (CistroN Medewerker) (ssmeenk () cistron nl):

Ehrm.. I've never seen an icqspoof tool which could spoof as being a
random chatter in Free for Chat state. And that is what the poster
requested.

I didn't get that at first :)


But I think that isn't spoofable, since you must connect with the ICQ
server to be present and marked 'Free for Chat'. And to connect to the
server you need a UIN and a password. :]

It is possible to send a change-password request after the client has
connected to the server. It is imperative, though, that the client has not
been 'active' after the connect (i.e. no send-trough-server messages
recieved or sent), because of a serial-number guessing problem.
Very probably it is possible to send a free-for-chat request/packet in the
same manner.
(Ofcourse everybody knows by now that ICQ is a braindead protocol that was
meant to be broken from day #1)

Greets,
        Robert

--
|      rvdm () cistron nl - Cistron Internet Services - www.cistron.nl        |
|          php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security             |
|         My statements are mine, and not necessarily cistron's.           |
                Marijuana is nature's way of saying, "Hi!".
Previous By Date Next
Previous By Thread Next

Current thread: