lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <54360-220031233173445851@M2W070.mail2web.com>
From: trihuynh at zeeup.com (trihuynh@...up.com)
Subject: RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow

Hi all,
This bug is a lame bug, very lame actually. I release it in order to
show that how a big company don't even do a basic QA. If we 
look through the security records of YIM, almost any YIM's ActiveX/Com
components do have some kind of buffer overflow and it is very easy
to spot them too (by fuzzing the IDispatch interface). I have no idea
how can QA guys in the YIM project can manage to let these
dangerous bugs survival through the testing state. Maybe they
are so busy watching the new "Joe Millionaire" show :-))))

Trihuynh
Sentryunion

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Tri Huynh
Sent: Wednesday, December 03, 2003 10:07
To: full-disclosure@...ts.netsys.com; bugtraq@...urityfocus.com
Cc: bugs@...uritytracker.com; news@...uriteam.com; vuln@...unia.com
Subject: [Full-Disclosure] Yahoo Instant Messenger YAUTO.DLL buffer overflow


Yahoo Instant Messenger YAUTO.DLL buffer overflow
=================================================

PROGRAM: Yahoo Instant Messenger (YIM)
HOMEPAGE: http://messenger.yahoo.com
VULNERABLE VERSIONS: 5.6.0.1347 and below


DESCRIPTION
=================================================

YIM is one of the most popular instant messenger. This is a cool product,
that allows me to chat with my gf from a very long distant :-).


DETAILS
=================================================

YAUTO.DLL is an ActiveX/COM component that comes with Yahoo Install
Messenger. YAUTO.DLL is registered under a ProgID called "YAuto.NSAuto.1".
In this component, there is a function named Open(String Url) that will
cause a buffer overflow if argument Url is passed with a long string. Since
this is an ActiveX component, the vulnerability can be exploited just by
making a website with the correct CLSID of the ActiveX and call the function
directly. We have successfully exploited the vulnerability by making a
website that can download a trojan and execute it silently.



WORKAROUND
=================================================

Yahoo has been contacted at enterprisesales@...oo-inc.com (this is the only
email that I can find on the Yahoo Messenger Site) but doesn't response
after 1 month. The workaround solution is deleting the YAUTO.DLL file in
your YIM directory.


CREDITS
=================================================

Discovered by Tri Huynh from SentryUnion


DISLAIMER
=================================================

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.


FEEDBACK
=================================================

Please send suggestions, updates, and comments to: trihuynh@...up.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html




--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ