COMMAND

    icq

SYSTEMS AFFECTED

    icq

PROBLEM

    'No  Strezzz  Cazzz'  found  following.   This  advisory  is  very
    similair  to  the  one  PCP/A   #0004  (NT  stores  passwords   in
    plaintext).   Okay here  we go.   While playing  with system clock
    'NSC' put the year on 2099 for  fun.  A few seconds after that  he
    got the following "Dr. Watson for Windows NT" error:

        "An application error has occured and an application error log is being generated.
        icq.exe
        Exception: access violation: (0xc0000005), Address: 0x2020128f"

    During  the  "millennium-bug-hype  MS  released some advisories on
    "dangerous dates".  2029 and 2038 where mentioned in the text.

    Do You remembered that POP3 and dial-up passwords are being
    stored in plaintext in a  USER.DMP file (Dr. Watson will  create a
    USER.DMP-file  each  time  a  user-mode  program  crashes).    The
    USER.DMP that  was created  when ICQ  crashed is  located in WINNT
    directory.  Well, inside You will find password as well.

    Its hard to find a password in 16-20 MB of text if you don't  know
    what you're looking for.  So here's what we can tell you about the
    location of the password.

    In  all  the  USER.DMP's  created  so  far  by  crashing  ICQ, ICQ
    password showed  up  either  2  or  3  times.  Altough all created
    USER.DMP's were in the same way (crashing ICQ by setting the  date
    to 2038) their size  varied from 16-20 MB.   The ICQ password  was
    stored in this format:  "ICQpazzzw0rd".  On one occasion it showed
    up with a space between each letter: "I C Q p a z z z w 0 r d".

    The password will  ALWAYS show up  very close to  the last message
    that was  received before  ICQ crashed.   Note that  the passwords
    always stored  up in  the upper  10% of  the USER.DMP  file.   Use
    "wordwrap" to read it from up to down when needed.

    Sometimes it  was stored  near words  like "User"  and "Password",
    but  it  is  ALWAYS  very  close  (a  few lines below) to the last
    message you received.

    If you uncheck "save password" in your ICQ this will NOT help.

    Any  program  that  takes  a  password is vulnerable (depending on
    when  the  crash   occurs).   The   vulnerability,  as   mentioned
    previously,  is  in  *where*  NT  places  the User.dmp by default:
    into a  directroy that  by default  is accessible  by the Everyone
    group.

SOLUTION

    What would be the best thing to do here is to Uncheck the  "create
    crash dump file" checkbox  in drwtsn32.exe (assuming you  run NT).
    Or you can change the location that your debugger will writes  its
    dumps to to a directory that only you can access.