Re: ICQ Spoofing Question (or second dumb question of the day)

[3APA3A <3APA3A () SECURITY NNOV RU>]

Hello Robert van der Meulen,

20.09.2000 12:58, you wrote: ICQ Spoofing Question (or second dumb question of the day);

> > But I think that isn't spoofable, since you must connect with the ICQ
> > server to be present and marked 'Free for Chat'. And to connect to the
> > server you need a UIN and a password. :]
R> It is possible to send a change-password request after the client has
R> connected to the server. It is imperative, though, that the client has not
R> been 'active' after the connect (i.e. no send-trough-server messages
R> recieved or sent), because of a serial-number guessing problem.
R> Very probably it is possible to send a free-for-chat request/packet in the
R> same manner.
R> (Ofcourse everybody knows by now that ICQ is a braindead protocol that was
R> meant to be broken from day #1)

Since  version  2000a ICQ uses TCP connection with server. It makes it
harder  to  spoof  clients  requests to server, because it requires to
hijack  TCP  connection first. But it doesn't eliminate possibility to
spoof message from another UIN because server supports older clients.

I  believe it's not hard to make message "random". I think "random"
is  just  another  flag  in  ICQ  message  packet.  It  can  be easily
discovered with sniffer.

/3APA3A