lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030916190634.40246.qmail@web40002.mail.yahoo.com>
From: cesarc56 at yahoo.com (Cesar)
Subject: Yahoo! Webcam ActiveX control buffer overflow.

Security Advisory

Name:  Yahoo! Webcam ActiveX control buffer overflow.
Systems Affected : Yahoo! Messenger, Yahoo! Chat
Severity :  High 
Remote exploitable : Yes
Author:    Cesar Cerrudo (Cleaning Internet of
dangerous ActiveX :)) 
Date:   09/16/03
Advisory Number:    CC090307


Legal Notice:

This Advisory is Copyright (c) 2003 Cesar Cerrudo.
You may distribute it unmodified and for free. You may
NOT modify it and distribute it or 
distribute parts of it without the author's written
permission. You may NOT use it for commercial 
intentions (this means include it in vulnerabilities
databases, vulnerabilities scanners, any paid 
service, etc.) without the author's written
permission. You are free to use Yahoo! advisory
details 
for commercial intentions.


Disclaimer:

The information in this advisory is believed to be
true though it may be false.
The opinions expressed in this advisory are my own and
not of any company. The usual standard disclaimer 
applies, especially the fact that Cesar Cerrudo is not
liable for any damages caused by direct or 
indirect use of the information or functionality
provided by this advisory. Cesar Cerrudo bears no 
responsibility for content or misuse of this advisory
or any derivatives thereof.


Overview:

Yahoo! Webcam Viewer Wrapper is an ActiveX control
used by Webcam feature of Yahoo! Messenger and Yahoo! 
Chat, also it can be installed from Internet as a
stand alone ActiveX control. 
This ActiveX control has a stack and heap based
overflow vulnerability.


Details:

When a long value is set in Yahoo! Webcam Viewer
Wrapper ActiveX control's "TargetName" property 
a stack and heap based buffer overflow occurs
depending on the length of the string.

To reproduce the overflow just cut-and-paste the
following:

------sample.htm-----------
<object id="yahoowebcam"
classid="CLSID:E504EE6E-47C6-11D5-B8AB-00D0B78F3D48" >
</object>
<script>
yahoowebcam.TargetName="longstringhere";
</script>
---------------------------


This ActiveX control is marked as safe, so the above
sample will run without being blocked in default 
Internet Explorer security configuration.
This vulnerability can be exploited to run arbitrary
code. 



Vendor Status :

Yahoo! was contacted on 07/11/03, we work together (I
worked more than Yahoo! :) trying to showing them 
that there was a stack overflow too) and Yahoo!
released a fix.
Yahoo! fixed first the heap overflow without fixing
the stack overflow, Yahoo! was contacted again and 
again and again and again and then Yahoo! fixed the
stack overflow. It seems that Yahoo! need some good 
programmers and QA team :). Yahoo! didn't release a
public advisory :(, so there are many users that 
don't know that they have a vulnerable ActiveX
control.


Workaround:

If you have installed the ActiveX from Internet as a
stand alone ActiveX control or you have used Yahoo!
Chat then:
-Go to: %SystemRoot%\Downloaded Program Files\
-Right Click on: Yahoo! Webcam Viewer Wrapper
-Left Click: Remove


Patch Available : 

http://messenger.yahoo.com/messenger/security/
Yahoo! Messenger users will be prompted to update upon
sign-in (if you are lucky, i tried and i wasn't 
prompted to update). 


Especial thanks to Jimmers for his help in testing.

 
SQL SECURITY LIST!!!: For people interested in SQL
Server security, vulnerabilities, SQL injection, etc.
Join at:
sqlserversecurity-subscribe@...oogroups.com
http://groups.yahoo.com/group/sqlserversecurity/



__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ