COMMAND

    ICQ

SYSTEMS AFFECTED

    Whoever uses ICQ

PROBLEM

    zack found following:
    * It is possible  to log in to  the ICQ servers as  ANYONE without
      having  to  know  their  password.   This  leads to all sorts of
      comprimises.  This is *not* simply spoofing

    The mirabilis server uses a password of 8 chars.  Their clients do
    the range checking and only send in passwords of 8 or less  chars.
    The  Linux  clones,  his  in  particular,  don't  do this.  When a
    password  of  9  or  more  characters  is  sent,  their  buffer is
    over-run, and it allows you to log in.

    Download any ICQ clone (example: http://hookah.ml.org/zicq).   Set
    the UIN  to be  the targets  UIN Set  the password  to "123456789"
    (just large enough to overflow).   Start the ICQ program.  If  all
    goes well, it will log in and connect, as that user.  Any  waiting
    (offline) messages  will be  delivered to  you.   You can now send
    _and_ recieve messages and URLS as the client allows.

    This is NOT spoofing, you  are actually logged in as  the selected
    UIN.  Unlike spoofing you can recieve messages as well.  All  UINS
    will work, as long as someone  is not already logged in with  that
    UIN.  Mirabilis / AOL needs to fix this problem.

SOLUTION

    That long password hole has been patched by mirabilis.