[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <005301c3bb0d$0e4de220$329f8018@youru10ixi0anw>
From: trihuynh at zeeup.com (Tri Huynh)
Subject: RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow
Wooh ! You spent all your time to register a new email account
http://profiles.yahoo.com/deblanc01 just to say this ? You
must be Kristian Hermanson or someone in the VNSEC mailing
list that I am the moderator. Anyway, I gonna release more
Yahoo bugs (most of them are lame bugs actually, but need to be patched)
next couple weeks so if you alredy found anything now, try to release
them all before too late :-). By the way, if you say you found the yauto.dll
bug, i know there is an interesting point in exploiting this bug, can you
give
some insights in how to exploit it ?
To Kristian, you used to be a nice guy, but not anymore though. I feel bad
for you,
you behave like a kid lately.
I can't believe that my post lead to a bunch of unrelated discussions. What
is
funny to me is this a lame bug and i don't feel proud about it. I think this
bug
is mostly an embarrassment for Yahoo for not doing QA properly. btw,
does anybody here watch the new MTV show "Rich girls" ?, it sucks really
bad,
the show is also another case of not doing QA correctly. :-)
Trihuynh
Sentryunion
----- Original Message -----
From: "De Blanc" <deblanc01@...oo.com>
To: <full-disclosure@...ts.netsys.com>
Cc: <bugtraq@...urityfocus.com>
Sent: Wednesday, December 03, 2003 11:16 PM
Subject: Re: [Full-Disclosure] RE: Yahoo Instant Messenger YAUTO.DLL buffer
overflow
> Yeah! Yahoo is sux. Yahoo Messenger has tons of bugs.
> But you are more sux than yahoo since you stole my
> work and posted my found bug to yahoo and bugtraq.
> Funny enough when your little company SentryUnion is
> trying to sell "Indetify Theft" protection service but
> you got owned, stole mail and money from your paypal
> account, logged everything your chatted with gf via
> one another yahoo messenger 0day.
>
> Stop leaking and killing my bug kid. Go to school to
> learn more.
>
> The Blanc
>
> <trihuynh@...up.com> wrote:
> >Hi all,
> >This bug is a lame bug, very lame actually. I release
> it in order to
> >show that how a big company don't even do a basic QA.
> If we look through
> >the security records of YIM, almost any YIM's
> ActiveX/Com
> >components do have some kind of buffer overflow and
> it is very easy
> >to spot them too (by fuzzing the IDispatch
> interface). I have no idea
> >how can QA guys in the YIM project can manage to let
> these
> >dangerous bugs survival through the testing state.
> Maybe they
> >are so busy watching the new "Joe Millionaire" show
> :-))))
> >Trihuynh
> >Sentryunion
> >-----Original Message-----
> >From: full-disclosure-admin@...ts.netsys.com
> >[mailto:full-disclosure-admin@...ts.netsys.com] On
> Behalf Of Tri Huynh
> >Sent: Wednesday, December 03, 2003 10:07
> >To: full-disclosure@...ts.netsys.com;
> bugtraq@...urityfocus.com
> >Cc: bugs@...uritytracker.com; news@...uriteam.com;
> vuln@...unia.com
> >Subject: [Full-Disclosure] Yahoo Instant Messenger
> YAUTO.DLL buffer overflow
> >
> >Yahoo Instant Messenger YAUTO.DLL buffer overflow
> >=================================================
> >PROGRAM: Yahoo Instant Messenger (YIM)
> >HOMEPAGE: http://messenger.yahoo.com
> >VULNERABLE VERSIONS: 5.6.0.1347 and below
> >
> >DESCRIPTION
> >=================================================
> >YIM is one of the most popular instant messenger.
> This is a cool product,
> >that allows me to chat with my gf from a very long
> distant :-).
> >
> >DETAILS
> >=================================================
> >YAUTO.DLL is an ActiveX/COM component that comes with
> Yahoo Install
> >Messenger. YAUTO.DLL is registered under a ProgID
> called "YAuto.NSAuto.1".
> >In this component, there is a function named
> Open(String Url) that will
> >cause a buffer overflow if argument Url is passed
> with a long string. Since
> >this is an ActiveX component, the vulnerability can
> be exploited just by
> >making a website with the correct CLSID of the
> ActiveX and call the function
> >directly. We have successfully exploited the
> vulnerability by making a
> >website that can download a trojan and execute it
> silently.
> >
> >WORKAROUND
> >=================================================
> >Yahoo has been contacted at
> enterprisesales@...oo-inc.com (this is the only
> >email that I can find on the Yahoo Messenger Site)
> but doesn't response
> >after 1 month. The workaround solution is deleting
> the YAUTO.DLL file in
> >your YIM directory.
> >
> >CREDITS
> >=================================================
> >Discovered by Tri Huynh from SentryUnion
> >
> >DISLAIMER
> >=================================================
> >The information within this paper may change without
> notice. Use of this
> >information constitutes acceptance for use in an AS
> IS condition. There are
> >NO warranties with regard to this information. In no
> event shall the author
> >be liable for any damages whatsoever arising out of
> or in connection with
> >the use or spread of this information. Any use of
> this information is at the
> >user's own risk.
> >
> >FEEDBACK
> >=================================================
> >Please send suggestions, updates, and comments to:
> trihuynh@...up.com
> >_______________________________________________
> >Full-Disclosure - We believe in it.
> >Charter:
> http://lists.netsys.com/full-disclosure-charter.html
> >
> >
> >--------------------------------------------------------------------
> >mail2web - Check your email from the web at
> >http://mail2web.com/ .
> >
> >_______________________________________________
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> __________________________________
> Do you Yahoo!?
> Free Pop-Up Blocker - Get it now
> http://companion.yahoo.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
Powered by blists - more mailing lists