ICQ Password Reset Ruins Accounts

Mark Doliner mark at kingant.net
Sun Mar 28 23:58:16 EDT 2010 

Hmm, that code does look a little strange... Are you proposing that
the following happened:
1. You tried to change your password to something longer than 8 characters
2. The passwdlen variable was set to 8
3. byte_stream_putstr(&bs, passwd); tried to write the entire
password, but it should have only tried to write the first 8 bytes
4. bs wasn't long enough to hold the full password, so no part of the
string was written
5. The last null character was written to the buffer, then the
remaining 7 bytes would be arbitrary uninitialized memory
6. The server changed your password to a null byte followed by 7 bytes
of gibberish

I tried that just now and the server seemed to reject my password
change request and leave my old password in tact.  Have you tried your
own password?

--Mark

On Sun, Mar 28, 2010 at 9:14 AM, Dylan Taft <d13f00l at gmail.com> wrote:
> I just lost my very old ICQ account thanks to this I think.....
>
> pidgin-2.6.6/libpurple/protocols/oscar/family_icq.c
>
> byte_stream_putstr(&bs, passwd);
>
> Nothing is done to truncate passwd to <= 8 characters?
>
> byte_stream_new(&bs, 4 + bslen);
> But the data to be sent is only sized for an 8 character strlen....
> Isn't this a major problem?
>
>
> /**
> * Change your ICQ password.
> *
> * @param od The oscar session
> * @param passwd The new password.  If this is longer than 8 characters it
> *        will be truncated.
> * @return Return 0 if no errors, otherwise return the error number.
> */
> int aim_icq_changepasswd(OscarData *od, const char *passwd)
> {
> FlapConnection *conn;
> ByteStream bs;
> aim_snacid_t snacid;
> int bslen, passwdlen;
>
> if (!passwd)
> return -EINVAL;
>
> if (!od || !(conn = flap_connection_findbygroup(od, SNAC_FAMILY_ICQ)))
> return -EINVAL;
>
> passwdlen = strlen(passwd);
> if (passwdlen > MAXICQPASSLEN)
> passwdlen = MAXICQPASSLEN;
> bslen = 2+4+2+2+2+2+passwdlen+1;
>
> byte_stream_new(&bs, 4 + bslen);
>
> snacid = aim_cachesnac(od, SNAC_FAMILY_ICQ, 0x0002, 0x0000, NULL, 0);
>
> /* For simplicity, don't bother using a tlvlist */
> byte_stream_put16(&bs, 0x0001);
> byte_stream_put16(&bs, bslen);
>
> byte_stream_putle16(&bs, bslen - 2);
> byte_stream_putuid(&bs, od);
> byte_stream_putle16(&bs, 0x07d0); /* I command thee. */
> byte_stream_putle16(&bs, snacid); /* eh. */
> byte_stream_putle16(&bs, 0x042e); /* shrug. */
> byte_stream_putle16(&bs, passwdlen+1);
> byte_stream_putstr(&bs, passwd);
> byte_stream_putle8(&bs, '\0');
>
> flap_connection_send_snac(od, conn, SNAC_FAMILY_ICQ, 0x0002, 0x0000,
> snacid, &bs);
>
> byte_stream_destroy(&bs);
>
> return 0;
> }
>
> _______________________________________________
> Devel mailing list
> Devel at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/devel
>

More information about the Devel mailing list