From: Secunia Security Advisories (sec-advsecunia.com)
Date: Thu Jul 10 2003 - 08:04:31 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

TITLE:
ICQ Account Password Bypass Vulnerability

READ ONLINE:
http://www.secunia.com/advisories/9227/

CRITICAL:
Not critical

IMPACT:
Security Bypass

WHERE:
Local system

SOFTWARE:
ICQ 2003a

DESCRIPTION:
A vulnerability has been reported in ICQ 2003a, which can be
exploited by malicious, local users to access other user's ICQ
accounts.

The vulnerability is caused due to an authentication error. A user's
ICQ contact list window can be enabled via the "EnableWindow" API
through a specially crafted program, which then makes it possible to
set the user's status as "Online". It is then possible to connect to
the server without supplying the user's password even though the
"save password" setting hasn't been enabled.

NOTE: Successful exploitation requires that a user has gained access
to another user's Windows account.

SOLUTION:
This poses a minimal risk if multiple users don't share the same
Windows account, and users log out when leaving the system.

REPORTED BY / CREDITS:
Cauã Moura Prado

----------------------------------------------------------------------

Secunia recommends that you verify all advisories you receive, by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

Contact details:
Web : http://www.secunia.com/
E-mail : supportsecunia.com
Tel : +44 (0) 20 7016 2693
Fax : +44 (0) 20 7637 0419

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories

----------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]