| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: cesarc56 at yahoo.com (Cesar) Subject: Yahoo! Webcam ActiveX control buffer overflow. Security Advisory Name: Yahoo! Webcam ActiveX control buffer overflow. Systems Affected : Yahoo! Messenger, Yahoo! Chat Severity : High Remote exploitable : Yes Author: Cesar Cerrudo (Cleaning Internet of dangerous ActiveX :)) Date: 09/16/03 Advisory Number: CC090307 Legal Notice: This Advisory is Copyright (c) 2003 Cesar Cerrudo. You may distribute it unmodified and for free. You may NOT modify it and distribute it or distribute parts of it without the author's written permission. You may NOT use it for commercial intentions (this means include it in vulnerabilities databases, vulnerabilities scanners, any paid service, etc.) without the author's written permission. You are free to use Yahoo! advisory details for commercial intentions. Disclaimer: The information in this advisory is believed to be true though it may be false. The opinions expressed in this advisory are my own and not of any company. The usual standard disclaimer applies, especially the fact that Cesar Cerrudo is not liable for any damages caused by direct or indirect use of the information or functionality provided by this advisory. Cesar Cerrudo bears no responsibility for content or misuse of this advisory or any derivatives thereof. Overview: Yahoo! Webcam Viewer Wrapper is an ActiveX control used by Webcam feature of Yahoo! Messenger and Yahoo! Chat, also it can be installed from Internet as a stand alone ActiveX control. This ActiveX control has a stack and heap based overflow vulnerability. Details: When a long value is set in Yahoo! Webcam Viewer Wrapper ActiveX control's "TargetName" property a stack and heap based buffer overflow occurs depending on the length of the string. To reproduce the overflow just cut-and-paste the following: ------sample.htm----------- <object id="yahoowebcam" classid="CLSID:E504EE6E-47C6-11D5-B8AB-00D0B78F3D48" > </object> <script> yahoowebcam.TargetName="longstringhere"; </script> --------------------------- This ActiveX control is marked as safe, so the above sample will run without being blocked in default Internet Explorer security configuration. This vulnerability can be exploited to run arbitrary code. Vendor Status : Yahoo! was contacted on 07/11/03, we work together (I worked more than Yahoo! :) trying to showing them that there was a stack overflow too) and Yahoo! released a fix. Yahoo! fixed first the heap overflow without fixing the stack overflow, Yahoo! was contacted again and again and again and again and then Yahoo! fixed the stack overflow. It seems that Yahoo! need some good programmers and QA team :). Yahoo! didn't release a public advisory :(, so there are many users that don't know that they have a vulnerable ActiveX control. Workaround: If you have installed the ActiveX from Internet as a stand alone ActiveX control or you have used Yahoo! Chat then: -Go to: %SystemRoot%\Downloaded Program Files\ -Right Click on: Yahoo! Webcam Viewer Wrapper -Left Click: Remove Patch Available : http://messenger.yahoo.com/messenger/security/ Yahoo! Messenger users will be prompted to update upon sign-in (if you are lucky, i tried and i wasn't prompted to update). Especial thanks to Jimmers for his help in testing. SQL SECURITY LIST!!!: For people interested in SQL Server security, vulnerabilities, SQL injection, etc. Join at: sqlserversecurity-subscribe@...oogroups.com http://groups.yahoo.com/group/sqlserversecurity/ __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
Powered by blists - more mailing lists