lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <55E8956A.9040907@rcesecurity.com>
Date: Thu, 3 Sep 2015 20:46:02 +0200
From: Julien Ahrens <info@...security.com>
To: fulldisclosure@...lists.org
Subject: [FD] [CVE-2014-7216] Yahoo! Messenger emoticons.xml Multiple Key
 Value Handling Local Buffer Overflow

RCE Security Advisory
https://www.rcesecurity.com
 
 
1. ADVISORY INFORMATION
-----------------------
Product:        Yahoo! Messenger
Vendor URL:     www.yahoo.com
Type:           Stack-based Buffer Overflow [CWE-121]
Date found:     2014-05-02
Date published: 2015-09-03
CVSSv3 Score:   4,8 (AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L)
CVE:            CVE-2014-7216
 
 
2. CREDITS
----------
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
 
 
3. VERSIONS AFFECTED
--------------------
Yahoo! Messenger v11.5.0.228 (latest)
Yahoo! Messenger v10.0.0.2009
older versions may be affected too.


4. INTRODUCTION
---------------
Yahoo Messenger is the premier instant messaging (IM) platform, used on
a wide variety of desktop and mobile clients. Millions of users
throughout the world depend on Yahoo Instant Messenger to manage their
social contacts, group lists, and presence information; hold real-time
instant communications; and perform data transfer to and from contacts
throughout the world. All instantly.

(from the vendor's homepage)
 
 
5. VULNERABILITY DESCRIPTION
----------------------------
Multiple buffer overflow vulnerabilities have been identified in Yahoo!
Messenger v11.5.0.228 and prior.
 
The application loads the content of the file emoticons.xml from two
different directories %PROGRAMFILES(x86)%\Yahoo!\Messenger\Cache and
%PROGRAMFILES(x86)%\Yahoo!\Messenger\Media\Smileys when a user logins to
determine the available emoticons and their associated shortcuts, which
can be used in the chat window. But the application does not properly
validate the length of the string of the "shortcut" and "title" key
values before passing them as an argument to different lstrcpyW calls.
 
This leads to a stack-based buffer overflow condition, resulting in
possible code execution. An attacker needs to trick the victim to copy
an arbitrary emoticons package to the application directory in order to
exploit the vulnerability. Successful exploits can allow attackers to
execute arbitrary code with the privileges of the user running the
application. Failed exploits will result in a denial-of-service condition.
 
 
6. PROOF-OF-CONCEPT (VULNERABLE CODE PARTS)
-------------------------------------------
YahooMessenger.exe:

title value:
0051D2C1  PUSH DWORD PTR DS:[EAX]                ; /String2
0051D2C3  LEA EAX,DWORD PTR SS:[EBP]             ; |
0051D2C6  PUSH EAX                               ; |String1
0051D2C7  CALL DWORD PTR DS:[<&KERNEL32.lstrcpyW>; \lstrcpyW
 
shortcut value:
0051D326  PUSH DWORD PTR DS:[ESI+4]               ; /String2
0051D329  LEA EAX,DWORD PTR SS:[EBP]              ; |
0051D32C  PUSH EAX                                ; |String1
0051D32D  CALL DWORD PTR DS:[<&KERNEL32.lstrcpyW>>; \lstrcpyW
 
 
7. SOLUTION
-----------
None. Won't be fixed.
 
 
8. REPORT TIMELINE
------------------
2014-05-02: Discovery of the vulnerability
2014-05-03: Reported via Yahoo! Bug Bounty program (hackerone.com)
2014-07-19: Vendor forwards the issue to the dev team
2014-08-31: Request for status update due to Yahoo's 120-day policy  
2014-09-10: Vendor is still evaluating the issue
2014-09-20: Vendor closes the issue as "Won't fix" due to EOL    
2014-10-01: MITRE assigns CVE-2014-7216
2014-10-05: Request to disclose the bug publicly
2015-08-14: Vendor approves the disclosure
2015-09-03: Advisory released
 
 
9. REFERENCES
-------------
https://www.rcesecurity.com/2015/09/cve-2014-7216-a-journey-through-yahoos-bug-bounty-program

https://hackerone.com/reports/10767

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ