OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: ICQ2000A ICQmail temparary internet link vulnearbility
From: Gert Fokkema (gertFOKKEMA.8K.COM)
Date: Tue Jun 06 2000 - 16:17:41 CDT


==============================================
Vulnerability : ICQ2000A ICQwebmail temparary internet link
vulnearbility
Name : Gert Fokkema.
Email : gertfokkema.8k.com
Function : SecurityManager.
Organization : ISAAN. http://www.fokkema.8k.com
Organization : Noorderpoortcollege. http://www.noorderpoort.nl
Place : Groningen.
Country : The Netherlands.
Date : 6/6/2000
Time : 18:00 CET
==============================================
VULNEARABILITY
When reading or sending an email using the ICQmailclient
(http://www.icqmail.com) with ICQ2000A (http://www.icq.com)
a temparary internet link is created in the default temparary directory,
containing the user ID and encrypted password.
This temparary internet link is NEVER deleted, not even when signing off
>from ICQwebmail, disconnect from ICQ or closing ICQ.
When opening the temparary internet link, ANY user is able to login to
the ICQmail webaccount, and is able to read, write and change any
emailmessage or even preferences.
==============================================
EXPLOIT
Any user using a shared computer can open the temparary internet link
located in the default TEMP directory and use the ICQwebmail to read,
write email and change preferences
==============================================
EXAMPLE
Name=icq91.url
Location=C:\TEMP
An example of the temparary internet link looks like this:
========
[InternetShortcut]
URL=http://cf.icq.com/cgi-bin/icqmail/write.pl5?uname=gertfokkema&pwd=12345678
========
Note: this temparary internet link is NOT deleted by ICQ or IE5 in any
way!!
==============================================
SOLUTION
Automatically / manually delete ALL items in the users default TEMP
directory after logging out of the computer.
==============================================

CU Gert Fokkema
gertfokkema.8k.com
<PGP-encrypted mail welcomed and preferred>