COMMAND

    ICQ

SYSTEMS AFFECTED

    Systems running ICQ

PROBLEM

    Mnemonix found following.   There is a  problem in Mirabilis'  ICQ
    (ICQ  98beta)  on  Windows  NT  4.0  where  internal  IP   address
    information is given out in the TCP payload thus giving other  ICQ
    users possibly sensitive information.  Here is an example:

    * HOST A is running Windows NT 4.0. It has an Ethernet NIC with IP
      address 10.20.20.60 and also  has a modem.   The user at HOST  A
      dials his  ISP and   a dynamic  IP address  is assigned  to  the
      modem: 195.195.195.195.

    * The user at HOST A strikes up an ICQ conversation with the  user
      at  HOST  B  running  Windows  98.  HOST  B has a NIC with an IP
      address  of  10.50.50.90  and  a  modem  that has the IP address
      198.198.198.198.

    * A TCP  virtual circuit has  been set up  between 195.195.195.195
      and 198.198.198.198 over which the converstation takes place.

    An  ICQ  created  packet  will  put  the IP address of the sending
    machine at the end  of the TCP data  - twice.  In  Windows 98 this
    is that of the IP address of the modem (198198198198198198198198).
    In Windows NT  however, the TCP  data will contain  the IP address
    assigned to the  modem followed by  the IP address  of the Network
    Interface  Card.   What's  more,  if  the  NT  box  has  a  direct
    connection  to  the  Internet  via  a  firewall performing Network
    Address Translation, instead of  via a dialup, this  problem still
    occurs and it is  possible using a network  sniffer to get the  IP
    address and therefore a good indication of the network  addressing
    scheme used on the internal side.

SOLUTION

    Nothing yet.