ICQ Password Reset Ruins Accounts

Dylan Taft d13f00l at gmail.com
Sun Mar 28 12:14:28 EDT 2010


I just lost my very old ICQ account thanks to this I think.....

pidgin-2.6.6/libpurple/protocols/oscar/family_icq.c

byte_stream_putstr(&bs, passwd);

Nothing is done to truncate passwd to <= 8 characters?

byte_stream_new(&bs, 4 + bslen);
But the data to be sent is only sized for an 8 character strlen....
Isn't this a major problem?


/**
* Change your ICQ password.
*
* @param od The oscar session
* @param passwd The new password.  If this is longer than 8 characters it
*        will be truncated.
* @return Return 0 if no errors, otherwise return the error number.
*/
int aim_icq_changepasswd(OscarData *od, const char *passwd)
{
FlapConnection *conn;
ByteStream bs;
aim_snacid_t snacid;
int bslen, passwdlen;

if (!passwd)
return -EINVAL;

if (!od || !(conn = flap_connection_findbygroup(od, SNAC_FAMILY_ICQ)))
return -EINVAL;

passwdlen = strlen(passwd);
if (passwdlen > MAXICQPASSLEN)
passwdlen = MAXICQPASSLEN;
bslen = 2+4+2+2+2+2+passwdlen+1;

byte_stream_new(&bs, 4 + bslen);

snacid = aim_cachesnac(od, SNAC_FAMILY_ICQ, 0x0002, 0x0000, NULL, 0);

/* For simplicity, don't bother using a tlvlist */
byte_stream_put16(&bs, 0x0001);
byte_stream_put16(&bs, bslen);

byte_stream_putle16(&bs, bslen - 2);
byte_stream_putuid(&bs, od);
byte_stream_putle16(&bs, 0x07d0); /* I command thee. */
byte_stream_putle16(&bs, snacid); /* eh. */
byte_stream_putle16(&bs, 0x042e); /* shrug. */
byte_stream_putle16(&bs, passwdlen+1);
byte_stream_putstr(&bs, passwd);
byte_stream_putle8(&bs, '\0');

flap_connection_send_snac(od, conn, SNAC_FAMILY_ICQ, 0x0002, 0x0000,
snacid, &bs);

byte_stream_destroy(&bs);

return 0;
}




More information about the Devel mailing list