Date: Mon, 29 Mar 1999 01:07:18 -0500 From: Ronald A. Jarrell To: BUGTRAQ@netspace.org Subject: icq DOS / possible "stupid user" vulnerability. Ok, I was a bit surprised when, in playing with the new ICQ99a build 1700 v2.13 client (which I believe is the first publicly distributed one of the 99 family), I turned on the "Activate my home page" feature, and turned my laptop into a web server... Complete with a file server that allows by default anything in the "program files\icq\homepage\root\YOUR#\files" folder to be requested. Even set up a guest book, chat service, etc... After getting over being astonished (yea, they said "turning this on might increase people's access to your machine, and tell them your ip address" - of course it will. You're setting up a bloody web server you idiots. A bad one at that.) I naturally started doing some poking. Telnet to your port 80, and enter some non http gibberish. I tried "quit" for grins. Blam. Down goes the ICQ client with a GPF. Got someone else to turn theirs on, and sure enough, managed to shoot him down too. I warned Mirabilis about it. Folks at institutions that worry about such things, but let their employees run ICQ might want to be aware that said employees might well be running web servers now and not evening know it. On you ICQ contact list, if they're on it, said users show up with a little house next to their name. -- Ron Jarrell VA Tech Computing Center -------------------------------------------------------------------------------- Date: Mon, 29 Mar 1999 13:25:09 PST From: Eddie Eddie To: BUGTRAQ@netspace.org Subject: Re: icq DOS / possible "stupid user" vulnerability. I also noticed that this works not just for "quit", but for any misunderstood command. Eddie -------------------------------------------------------------------------------- Date: Tue, 30 Mar 1999 06:16:58 +0000 From: Kerb To: BUGTRAQ@netspace.org Subject: ICQ Webserver bug I am writing this in reply to the message posted by Ronald A. Jarrell entitled `icq DOS / possible "stupid user" vulnerability`. What platforms did you test that exploit on? I tested it on an x86 NT machine (Intel 233 w/ 32 MB of RAM) locally and remotely, dropped it both times. It did not seem to work on Windows 95, and maybe 98 (havent gotten a chance to test yet). I have a bit of exploit code written in perl...and it works fine against NT machines, but it would not harm my 95 machine. Just lookin for some info... -Kerb -------------------------------------------------------------------------------- Date: Mon, 29 Mar 1999 19:47:19 +0200 From: fvw To: BUGTRAQ@netspace.org Subject: Re: icq DOS / possible "stupid user" vulnerability. Even doing a http "GET ......." (with a lot more periods) will crash the icq 'webserver'. Mind you, ICQ has always had a high "DOSability factor". -------------------------------------------------------------------------------- Date: Tue, 6 Apr 1999 13:42:53 -0400 From: Ronald A. Jarrell To: BUGTRAQ@netspace.org Subject: Re: ICQ Webserver bug >From: Kerb >I am writing this in reply to the message posted by Ronald A. Jarrell >entitled `icq DOS / possible "stupid user" vulnerability`. What >platforms did you test that exploit on? I tested it on an x86 NT >machine (Intel 233 w/ 32 MB of RAM) locally and remotely, dropped it >both times. It did not seem to work on Windows 95, and maybe 98 >(havent gotten a chance to test yet). I have a bit of exploit code Well, my box was win 98, and the remote box I tested it against was win 95. Didn't have anyone running NT handy to test against. However, another person I corresponded with who was testing this did get it to drop a 95 box, but not every time. Did it every time for me; but there's apparently other factors that contribute as well. -- Ron Jarrell VA Tech Computing Center