Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Instant Messaging/IRC/Chat)  >   ICQ Vendors:   America Online, Inc.
ICQ Chat Client Can Be Crashed By Remote Users Sending Malformed Contact Packets
SecurityTracker Alert ID:  1004120
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 22 2002
Impact:   Denial of service via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2001b, 2002a
Description:   A denial of service vulnerability was reported in the ICQ client software. A remote user can cause the client to freeze.

It is reported that a remote user can send a malicious "contact" message to cause the target ICQ client to freeze.

If the contacts number is set to 65535 (for example) and sent to a target user, the target user's ICQ client will reportedly stop responding and will consume an increasing amount of memory on the target user's operating system.

A demonstration exploit binary is available at:

Impact:   A remote user can cause another user's ICQ client to crash.
Solution:   It is reported that the vendor made a change to the software (2002a Beta Build #3727) on April 19, 2002 to prevent users from contacting you unless they are on your contact list. This apparently prevents a remote user from crashing your ICQ client unless the remote user is on your contact list.
Vendor URL: (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  DOS for Icq 2001&2002

Icq2001b & Icq2002a Denial Of Service

If you send a malicious "contact" message, you can 
freeze target icq.

Let's look at the contact packet (taken from Massimo 
Melina documentation)

contacts-msg content is:
contacts number
and so on

if we set contacts number to lets say 65535 and will 
send such packet, then target icq stop responding. 
Task manager shows, that icq takes more and more 
memory, until you kill it or it will eat all system 

Proof of concept:

Fix: at this time - disable receiving contacts from 
everyone (including your contact list)

AOL as always instead of patching the bug, trying to 
threaten me, you can find there letter at



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC