[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030601213329.90154.qmail@web40016.mail.yahoo.com>
From: cesarc56 at yahoo.com (Cesar)
Subject: Yahoo! Audio Conferencing ActiveX control buffer overflow
Security Advisory
Name: Yahoo! Audio Conferencing ActiveX control
buffer overflow.
Systems Affected : Yahoo! Chat, Yahoo! Messanger.
Severity : High
Remote exploitable : Yes
Author: Cesar Cerrudo.
Date: 06/01/03
Advisory Number: CC060303
Legal Notice:
This Advisory is Copyright (c) 2003 Cesar Cerrudo.
You may distribute it unmodified and for free. You may
NOT modify it and distribute it or
distribute parts of it without the author's written
permission. You may NOT use it for commercial
intentions (this means include it in vulnerabilities
databases, vulnerabilities scanners, any paid
service, etc.) without the author's written
permission. You are free to use Yahoo! advisory
details
for commercial intentions.
Disclaimer:
The information in this advisory is believed to be
true though it may be false.
The opinions expressed in this advisory are my own and
not of any company. The usual standard disclaimer
applies, especially the fact that Cesar Cerrudo is not
liable for any damages caused by direct or
indirect use of the information or functionality
provided by this advisory. Cesar Cerrudo bears no
responsibility for content or misuse of this advisory
or any derivatives thereof.
Overview:
Yahoo! Audio Conferencing is an ActiveX control used
by Yahoo! Chat (a web based service) and
Yahoo! Messenger (a win32 client application), this
ActiveX control has a stack based overflow
vulnerability.
Details:
When a long value is set in Yahoo! Audio Conferencing
ActiveX control's "hostname" property and then
the "createandjoinconference" method is called a stack
based buffer overflow occurs.
To reproduce the overflow just cut-and-paste the
following:
------sample.htm-----------
<OBJECT id=yahooaudio type="application/x-oleobject"
classid="clsid:2B323CD9-50E3-11D3-9466-00A0C9700498">
</OBJECT>
<script>
yahooaudio.hostname="longstringheremorethan500chars";
yahooaudio.createandjoinconference();
</script>
---------------------------
This ActiveX control is marked as safe, so the above
sample will run without being blocked in default
Internet Explorer security configuration.
This vulnerability can be exploited to run arbitrary
code.
Vendor Status :
Yahoo! was contacted on 05/12/03, we work together and
Yahoo! released a fix.
Patch Available :
Yahoo! Messenger users will be prompted to update upon
sign-in. Yahoo! Chat users will be served
the new ActiveX control when entering a chat room.
The update page will also be linked to from the
Yahoo! Chat and Yahoo! Messenger home pages.
NEW SECURITY LIST!!!: For people interested in SQL
Server security, vulnerabilities, SQL injection, etc.
Join at:
sqlserversecurity-subscribe@...oogroups.com
http://groups.yahoo.com/group/sqlserversecurity/
__________________________________
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com
Powered by blists - more mailing lists