what you don't know can hurt you

Yahoo! Messenger 11.5.0.228 Buffer Overflow

Yahoo! Messenger 11.5.0.228 Buffer Overflow
Posted Sep 4, 2015
Authored by Julien Ahrens | Site rcesecurity.com

Multiple buffer overflow vulnerabilities have been identified in Yahoo! Messenger versions 11.5.0.228 and below.

tags | advisory, overflow, vulnerability
advisories | CVE-2014-7216
MD5 | 464fdcbb475517adc40408ae287a00e7

Yahoo! Messenger 11.5.0.228 Buffer Overflow

Change Mirror Download
RCE Security Advisory
https://www.rcesecurity.com


1. ADVISORY INFORMATION
-----------------------
Product: Yahoo! Messenger
Vendor URL: www.yahoo.com
Type: Stack-based Buffer Overflow [CWE-121]
Date found: 2014-05-02
Date published: 2015-09-03
CVSSv3 Score: 4,8 (AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L)
CVE: CVE-2014-7216


2. CREDITS
----------
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.


3. VERSIONS AFFECTED
--------------------
Yahoo! Messenger v11.5.0.228 (latest)
Yahoo! Messenger v10.0.0.2009
older versions may be affected too.


4. INTRODUCTION
---------------
Yahoo Messenger is the premier instant messaging (IM) platform, used on
a wide variety of desktop and mobile clients. Millions of users
throughout the world depend on Yahoo Instant Messenger to manage their
social contacts, group lists, and presence information; hold real-time
instant communications; and perform data transfer to and from contacts
throughout the world. All instantly.

(from the vendor's homepage)


5. VULNERABILITY DESCRIPTION
----------------------------
Multiple buffer overflow vulnerabilities have been identified in Yahoo!
Messenger v11.5.0.228 and prior.

The application loads the content of the file emoticons.xml from two
different directories %PROGRAMFILES(x86)%\Yahoo!\Messenger\Cache and
%PROGRAMFILES(x86)%\Yahoo!\Messenger\Media\Smileys when a user logins to
determine the available emoticons and their associated shortcuts, which
can be used in the chat window. But the application does not properly
validate the length of the string of the "shortcut" and "title" key
values before passing them as an argument to different lstrcpyW calls.

This leads to a stack-based buffer overflow condition, resulting in
possible code execution. An attacker needs to trick the victim to copy
an arbitrary emoticons package to the application directory in order to
exploit the vulnerability. Successful exploits can allow attackers to
execute arbitrary code with the privileges of the user running the
application. Failed exploits will result in a denial-of-service condition.


6. PROOF-OF-CONCEPT (VULNERABLE CODE PARTS)
-------------------------------------------
YahooMessenger.exe:

title value:
0051D2C1 PUSH DWORD PTR DS:[EAX] ; /String2
0051D2C3 LEA EAX,DWORD PTR SS:[EBP] ; |
0051D2C6 PUSH EAX ; |String1
0051D2C7 CALL DWORD PTR DS:[<&KERNEL32.lstrcpyW>; \lstrcpyW

shortcut value:
0051D326 PUSH DWORD PTR DS:[ESI+4] ; /String2
0051D329 LEA EAX,DWORD PTR SS:[EBP] ; |
0051D32C PUSH EAX ; |String1
0051D32D CALL DWORD PTR DS:[<&KERNEL32.lstrcpyW>>; \lstrcpyW


7. SOLUTION
-----------
None. Won't be fixed.


8. REPORT TIMELINE
------------------
2014-05-02: Discovery of the vulnerability
2014-05-03: Reported via Yahoo! Bug Bounty program (hackerone.com)
2014-07-19: Vendor forwards the issue to the dev team
2014-08-31: Request for status update due to Yahoo's 120-day policy
2014-09-10: Vendor is still evaluating the issue
2014-09-20: Vendor closes the issue as "Won't fix" due to EOL
2014-10-01: MITRE assigns CVE-2014-7216
2014-10-05: Request to disclose the bug publicly
2015-08-14: Vendor approves the disclosure
2015-09-03: Advisory released


9. REFERENCES
-------------
https://www.rcesecurity.com/2015/09/cve-2014-7216-a-journey-through-yahoos-bug-bounty-program
https://hackerone.com/reports/10767
Login or Register to add favorites

File Archive:

November 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    2 Files
  • 2
    Nov 2nd
    9 Files
  • 3
    Nov 3rd
    15 Files
  • 4
    Nov 4th
    90 Files
  • 5
    Nov 5th
    22 Files
  • 6
    Nov 6th
    16 Files
  • 7
    Nov 7th
    1 Files
  • 8
    Nov 8th
    1 Files
  • 9
    Nov 9th
    40 Files
  • 10
    Nov 10th
    27 Files
  • 11
    Nov 11th
    28 Files
  • 12
    Nov 12th
    13 Files
  • 13
    Nov 13th
    18 Files
  • 14
    Nov 14th
    2 Files
  • 15
    Nov 15th
    2 Files
  • 16
    Nov 16th
    29 Files
  • 17
    Nov 17th
    15 Files
  • 18
    Nov 18th
    15 Files
  • 19
    Nov 19th
    21 Files
  • 20
    Nov 20th
    16 Files
  • 21
    Nov 21st
    1 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    19 Files
  • 24
    Nov 24th
    32 Files
  • 25
    Nov 25th
    9 Files
  • 26
    Nov 26th
    11 Files
  • 27
    Nov 27th
    15 Files
  • 28
    Nov 28th
    9 Files
  • 29
    Nov 29th
    2 Files
  • 30
    Nov 30th
    17 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close