lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <6EE94B1E510B8A49AAD770CE041E76CA8F1DBC@exchange.Finjan.co.il>
From: dshalev at finjan.com (Dror Shalev)
Subject: Finjan Software Discovers a New Critical Vulnerability In Yahoo E-mail Service


Yahoo E-mail Service Vulnerability
 
Release Date:
December 10, 2003
 
Severity:
Critical (Potential web-based e-mail worm)
 
Systems Affected:
Other web-based e-mail systems may be vulnerable.
Internet Explorer and any software application used for reading Yahoo
e-mail messages.
 
Status:
Yahoo,Excite and Outblaze (Mail.com) have already patched their
Web-based e-mail services.
 
 
 
Description:
Finjan Software identified a malicious script execution security
vulnerability in Yahoo's Web-based e-mail service.  This vulnerability
had the potential to allow malicious hackers to automatically launch a
worm or malicious mobile code attack upon the opening of an e-mail
message.  The vulnerability was reported to Yahoo and has been fixed.
Malicious Script Execution flaws allow a malicious hacker to input
malicious script into a seemingly normal e-mail message.  A computer
user opening an e-mail message containing an embedded malicious script
could automatically be hit with a malicious code attack if scripting has
been enabled on the Web browser.  Malicious script can be written in
various languages including Java, JavaScript, VB Script, Active X, and
HTML.  
In addition to destroying files, malicious code attacks have the ability
to steal personal information such as usernames, passwords, credit card
numbers, and any other information a user inputs into the computer.  It
can also expose restricted parts of a local area network, such as an
Intranet, to the public.
 
"Web-based e-mails have become very popular due to its ability to
provide access to one's e-mail messages from any computer connected to
the Internet," said Brian Burke, program manager at IDC.  "Malicious
hackers are always looking at ways to gain unauthorized access to
personal information of their victims for various reasons and Web e-mail
services are certainly a potential target." Other web-based e-mail
systems may be vulnerable to this vulnerability. Additional information
about the malicious script execution security flaw can be found at:
<http://www.kb.cert.org/vuls/id/707100>
http://www.kb.cert.org/vuls/id/707100
 
 
Technical details:
This was a cross-site scripting vulnerability of the Yahoo! Web-based
e-mail service. The purpose of Yahoo's active content filter is to block
the injection of any active content into Yahoo! messages. However, the
basic failure that allowed this vulnerability is that there was no
blocking of a double encoding. Yahoo's filter removed only the first
instance.
MCRC has inserted malformed encoded style to the 'input' HTML tag, using
several known encoding methods.
 
For example: 
<input type="text" size=80 value="XSS Yahoo Mail" style="\000062
ackground-image:url('java\73 crip\t\3A ... 
 
The 'input' tag can be used to call a JavaScript file.
The injected JavaScript code is responsible for:
-Automatic launching of malicious code.
-Getting personal information of users in Yahoo! address book and
creating a detailed commercial database to be used by spammers. (using
the known cookies decoder tool, created by
<mailto:i_n_f_o_w_a_r@...mail.com> i_n_f_o_w_a_r@...mail.com)
-Identity theft using a spoofed re-login window (suggested by
<mailto:http-equiv@...ware.com> http-equiv@...ware.com).
-Read and Disclose User inbox & contacts.
-Sending an e-mail message.
 
The JavaScript code has been used for creating demos, but Finjan
Software won't reveal this source code.
The ActiveX control could have been used for a destructive payload of
the propagating worm. It also allows propagation to non-Yahoo users.
The basic attack does not require an ActiveX control. The ActiveX
control is the payload that can be used to extend the attack to non-web
mail users, or to perform any malicious activity, including formatting
of the hard disk
Upon using the ActiveX control, end user may get a security warning. It
depends on the security setting of the browser. An example:
<http://www.finjan.com/mcrc/demos/activex.cfm>
http://www.finjan.com/mcrc/demos/activex.cfm (Click on the 'test me'
button after reading the disclaimer)
The initial tip was received from "stardust (hoshikuzu)".
 
 
 
Protection:
This specific vulnerability has been eliminated by Yahoo based on Finjan
Software
notification. Finjan's content security products: SurfinGate for Web,
SurfinGate
for E-mail, SurfinShield Corporate and SurfinGuard Pro, provided
proactive
defense against this Yahoo! vulnerability prior to its detection and
correction.
Finjan's patented behavior inspection engine will protect computer users
from
similar future vulnerabilities and comparable potential exploits.
 
 
 

Credit: stardust (hoshikuzu), Dror Shalev and Menashe Eliezer.
 
 <http://www.finjan.com/mcrc> http://www.finjan.com/mcrc 
 
Prevention is the best cure!

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031211/9f79e019/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ