Yahoo! Instant Messenger (YIM) vulnerabilities. Affects Yahoo! Messenger v(5, 0, 0, 1061) for all Windows versions. Includes buffer overflow information and how to hijack another IM client.
560f2f1480e78404b85ae116917fa30a3d36064a7073a97a2a19d1fc7fcd8d6c--=====================_789734017==_.ALT
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
=======================================================================
Yahoo! Instant Messenger (YIM) Hi-Jack 101
-- Multiple Vulnerabilities & Demonstration Exploit
Date : 05/02/2002
Version : Yahoo! Messenger (5, 0, 0, 1061) [latest build at time]
Platforms : Win98, Win2K, XP Pro (and likely all Windows versions)
Severity : Medium - High
Contents :
01. Summary
02. Software/Supplier Status
03. Vulnerability #1: Buffer Overflows
04. Vulnerability #2: Yahoo! Instant Messenger (YIM) Hi-Jack 101
(Remote Java Visual Basic script execution)
05. Threat Significance
06. Credits
01. Summary:
At the end of 2001, Yahoo! Instant Messenger (YIM) was estimated by Jupiter Media Metrix to the ad-sponsored choice of some 12 million Instant Messaging (IM) Internet users whose numbers are increasing at over 25% per annum, http://www.ecommercetimes.com/perl/story/14793.html.
Media Life, however, estimates the number of global IM users at the end of 2001 to be over 200 million with 32%, or 64 million, using Yahoo! Messenger, http://209.61.190.23/news2002/feb02/feb04/2_tues/news4tuesday.html.
Security vulnerabilities in YIM have recently been found which can allow unauthorized execution of programs on a YIM user's PC via buffer overflows or Java or Visual Basic script execution added through YIM Content tabs. The net impact is to allow a relatively simple opportunity to hijack users' YIM client outright, and use it to attack or intrude into YIM users supposedly private information systems.
02. Software/Supplier Status:
Yahoo! was informed of this vulnerability on 05/05/2002. In discussions with Yahoo Security the authors agreed to await Yahoo!'s release of a repaired version of Yahoo! Messenger (YIM). Yahoo! made the repaired version available for download and installation on 24/05/2002 at http://download.yahoo.com/dl/installs/ymsgr/ymsgr_1065.exe.
Notably, Yahoo! removed some functionality from repaired YIM version. Specifically, according to Yahoo, the "addview" function (see below) has been removed until Yahoo! can rewrite it and provide sufficient security to prevent exploitation of the Vulnerability #2 below.
03. Vulnerability #1: Buffer Overflows
When YaHoo! Messenger (YIM) is installed, it registers its own handler for URLs of the type "ymsgr". In the Win98 Registry, this handler is HKEY_LOCAL_MACHINE\Software\CLASSES\ymsgr\shell\open\command which has a value for "(Default)" of "<Hard-drive:\Directories\>YPAGER.EXE %1".
Thus when any URL beginning with "ymsgr:" [no slashes, no "//"] is input into a web browser supported by integrated with YIM, "ypager.exe %1" is executed on the complete URL.
With no proper bounds checking in the ymsgr protocol, attackers can overflow the YIM function calls "call", "sendim", "getimv", "chat", "addview", "addfriend" tags.
For example, loading URL "ymsgr:call?(84)+8-8344332&p=DaHØ" into a YIM-integrated browser will cause ypager.exe will be executed and it will then execute the YIM/Net2Phone "Call Centre" application and prepare it to dial the phone number and name in the URL.
If we input a string that has more than 260 bytes we will crash YIM; 264 bytes will overwrite the EBP register; four (4) more bytes will overwrite the EIP register. In total, 268 bytes are needed to cause a buffer overflow.
For example, this URL
ymsgr:call?+<aaaaaaaaaaaaaaaa...>
would overwrite both the EBP (Extended Base Pointer) and EIP (Extended Instruction Pointer). The ellipsis, "...", represents an extension to 268 bytes, e.g., 0x61616161, of "a"s). From there, attackers could overwrite the EIP with any location they choose, jump to exploit code and have the code run under the current user's normal privileges.
The following are susceptible to BOFs (Buffer OverFlows) as well. But this time we need to punch in another 100 bytes:
ymsgr:sendim?+<aaaaaaa..... 368 bytes here>
ymsgr:chat?+<aaaaaaa..... 368 bytes here>
ymsgr:addview?+<aaaaaaa..... 368 bytes here>
ymsgr:addfriend?+<aaaaaaa..... 368 bytes here>
Another susceptibility is illustrated by "ymsgr:getimv?+<aaaaaaa..... 368 bytes here>", as reported to BugTraq on February 21, 2002 by "Scott Woodward" <scott@phoenixtechie.com>. We include it in here in case anyone wants an example of this particular exploit.
04. Vulnerability #2: Yahoo! Instant Messenger (YIM) Hi-Jack 101
(Java, Visual Basic script execution)
URLs beginning with "ymsgr:addview?" let users add browser-ready Yahoo! content to YIM's "Content Tabs" for viewing in YIM, without a web browser. YIM installs with default Tabs for Stocks, Weather, Calendar, News, etc.
The following URL is provided to demonstrate this vulnerability. To use it, you must have YaHoo! Messenger (YIM) installed and integrated with a compatible web browser. (We only tested this exploit on Microsoft's Internet Explorer 5.0+.)
ymsgr:addview?http://rd.yahoo.com/messenger/?http://viceconsulting.com/cons/servs/infosec/yimvul001/DemH0.htm
This simple, completely harmless, sample exploit will start up YIM, if not already started, add a new "Content Tab" called "YIM Cal-Hack" to YIM's current set, then display a dialogue box with one option, "OK", then open the "YIM Cal-Hack" content, a quick, 9-click set of instructions to disable the exploit. (Send it to your friends for a laugh. ;))
To see the contents of DemH0.htm, simply remove the Yahoo! redirection parts of the exploit URL above or load this URL into any browser:
http://viceconsulting.com/cons/servs/infosec/yimvul001/DemH0.htm
Note, however, that to completely remove the "YIM Cal-Hack" (before the user's next YIM upgrade a minor Windows registry edit is needed: simply exit YIM; "Find" the text string "YMSGR_test" or "YIM Cal-Hack", using Start-> Run->regedit->Edit->Find; then delete the YMSGR_test key; exit regedit; and restart YIM.
Note also that DemH0.htm is not a standard HTML file -- though it calls three other standard HTML files. Instead, DemH0.htm contains only YIM- specific tags. In fact, if you insert the normal HTML opening tags, "<html> <head><script>...", the exploit will not work and YIM will simply respond with a dialogue box stating, "Error adding view... The view format is invalid." -- as demonstrated by this URL:
ymsgr:addview?http://rd.yahoo.com/messenger/?http://viceconsulting.com/cons/servs/infosec/yimvul001/DemH0.not.htm
05. Threat Significance
Vulnerability #2 (above) demonstrates how potential attackers could replace or even visually replicate almost any YIM content and insert scripts into their own HTML that could be used to do almost anything on a YIM users machine. For example, it would not be too difficult to modify the demonstration exploit above to request a YIM user's ID and password and send it to any email address or Internet URL.
Minimum user intervention is required to exploit these vulnerabilities. Modifications of the ymsgr URLs provided could readily be hidden in HTML pages or emails with text or images enticing YIM users to click on them. Further, scripts could be used to load such ymsgr-exploit URLs into pop-up browser windows with no direct user intervention.
Given there are now somewhere between 13-65 million Yahoo! Messenger users worldwide (as described in the Summary above), the potential impact of this vulnerability poses a highly significant threat to users who do not soon upgrade their Yahoo! Messenger clients.
06. Credits:
VICE Consulting, Technical: Phuong Nguyen
VICE Consulting, Editorial: AD Marshall
=======================================================================
*--------------------------------------------------*
AD Marshall, VietInfoComm&Edu [VICE]-8 Consulting
Vietnam Information Communications & Education
eMail: MailTo:ADMarshall@VICEConsulting.Com
Post: 8A/G8 Don Dat, Q.1, TpHCM, VietNam
Web: HTTP://WWW.VICEConsulting.Com
Linux Registered User #251932
Cell: +84 (0)903871313
*--------------------------------------------------*
*--- Linux Users Counter - VietNam (Vie^.t Nam) ---*
*---- http://counter.li.org/bycountry/VN.html -----*
--=====================_789734017==_.ALT
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
<html>
=======================================================================<br>
Yahoo! Instant Messenger (YIM) Hi-Jack 101<br>
-- Multiple Vulnerabilities & Demonstration Exploit<br><br>
Date : 05/02/2002<br>
Version : Yahoo! Messenger (5, 0, 0, 1061)
[latest build at time]<br>
Platforms : Win98, Win2K, XP Pro (and likely all Windows
versions)<br>
Severity : Medium - High<br><br>
Contents :<br>
01. Summary<br>
02. Software/Supplier Status<br>
03. Vulnerability #1: Buffer Overflows<br>
04. Vulnerability #2: Yahoo! Instant Messenger (YIM) Hi-Jack 101<br>
(Remote Java Visual Basic script
execution)<br>
05. Threat Significance <br>
06. Credits<br><br>
<br>
01. Summary: <br><br>
At the end of 2001, Yahoo! Instant Messenger (YIM) was estimated by
Jupiter Media Metrix to the ad-sponsored choice of some 12 million
Instant Messaging (IM) Internet users whose numbers are increasing at
over 25% per annum,
<a href="http://www.ecommercetimes.com/perl/story/14793.html" eudora="autourl">http://www.ecommercetimes.com/perl/story/14793.html</a>.
<br><br>
Media Life, however, estimates the number of global IM users at the end
of 2001 to be over 200 million with 32%, or 64 million, using Yahoo!
Messenger,
<a href="http://209.61.190.23/news2002/feb02/feb04/2_tues/news4tuesday.html" eudora="autourl">http://209.61.190.23/news2002/feb02/feb04/2_tues/news4tuesday.html</a>.<br><br>
Security vulnerabilities in YIM have recently been found which can allow
unauthorized execution of programs on a YIM user's PC via buffer
overflows or Java or Visual Basic script execution added through YIM
Content tabs. The net impact is to allow a relatively simple opportunity
to hijack users' YIM client outright, and use it to attack or intrude
into YIM users supposedly private information systems. <br><br>
02. Software/Supplier Status:<br><br>
Yahoo! was informed of this vulnerability on 05/05/2002. In discussions
with Yahoo Security the authors agreed to await Yahoo!'s release of a
repaired version of Yahoo! Messenger (YIM). Yahoo! made the repaired
version available for download and installation on 24/05/2002 at
<a href="http://download.yahoo.com/dl/installs/ymsgr/ymsgr_1065.exe" eudora="autourl">http://download.yahoo.com/dl/installs/ymsgr/ymsgr_1065.exe</a>.
<br><br>
Notably, Yahoo! removed some functionality from repaired YIM version.
Specifically, according to Yahoo, the "addview" function (see
below) has been removed until Yahoo! can rewrite it and provide
sufficient security to prevent exploitation of the Vulnerability #2
below. <br><br>
<br>
03. Vulnerability #1: Buffer Overflows<br><br>
When YaHoo! Messenger (YIM) is installed, it registers its own handler
for URLs of the type "ymsgr". In the Win98 Registry, this
handler is HKEY_LOCAL_MACHINE\Software\CLASSES\ymsgr\shell\open\command
which has a value for "(Default)" of
"<Hard-drive:\Directories\>YPAGER.EXE %1".<br><br>
Thus when any URL beginning with "ymsgr:" [no slashes, no
"//"] is input into a web browser supported by integrated with
YIM, "ypager.exe %1" is executed on the complete URL.<br><br>
With no proper bounds checking in the ymsgr protocol, attackers can
overflow the YIM function calls "call", "sendim",
"getimv", "chat", "addview",
"addfriend" tags.<br><br>
For example, loading URL "ymsgr:call?(84)+8-8344332&p=DaHØ"
into a YIM-integrated browser will cause ypager.exe will be executed and
it will then execute the YIM/Net2Phone "Call Centre"
application and prepare it to dial the phone number and name in the
URL.<br><br>
If we input a string that has more than 260 bytes we will crash YIM; 264
bytes will overwrite the EBP register; four (4) more bytes will overwrite
the EIP register. In total, 268 bytes are needed to cause a buffer
overflow.<br><br>
For example, this URL<br><br>
ymsgr:call?+<aaaaaaaaaaaaaaaa...><br><br>
would overwrite both the EBP (Extended Base Pointer) and EIP (Extended
Instruction Pointer). The ellipsis, "...", represents an
extension to 268 bytes, e.g., 0x61616161, of "a"s). From there,
attackers could overwrite the EIP with any location they choose, jump to
exploit code and have the code run under the current user's normal
privileges.<br><br>
The following are susceptible to BOFs (Buffer OverFlows) as well. But
this time we need to punch in another 100 bytes:<br><br>
ymsgr:sendim?+<aaaaaaa..... 368 bytes
here><br>
ymsgr:chat?+<aaaaaaa..... 368 bytes here><br>
ymsgr:addview?+<aaaaaaa..... 368 bytes
here><br>
ymsgr:addfriend?+<aaaaaaa..... 368 bytes
here><br><br>
Another susceptibility is illustrated by
"ymsgr:getimv?+<aaaaaaa..... 368 bytes here>", as
reported to BugTraq on February 21, 2002 by "Scott Woodward"
<scott@phoenixtechie.com>. We include it in here in case anyone
wants an example of this particular exploit.<br><br>
<br>
04. Vulnerability #2: Yahoo! Instant Messenger (YIM) Hi-Jack 101 <br>
(Java, Visual Basic script execution)<br><br>
URLs beginning with "ymsgr:addview?" let users add
browser-ready Yahoo! content to YIM's "Content Tabs" for
viewing in YIM, without a web browser. YIM installs with default Tabs for
Stocks, Weather, Calendar, News, etc.<br><br>
The following URL is provided to demonstrate this vulnerability. To use
it, you must have YaHoo! Messenger (YIM) installed and integrated with a
compatible web browser. (We only tested this exploit on Microsoft's
Internet Explorer 5.0+.)<br><br>
ymsgr:addview?http://rd.yahoo.com/messenger/?http://viceconsulting.com/cons/servs/infosec/yimvul001/DemH0.htm<br><br>
This simple, completely harmless, sample exploit will start up YIM, if
not already started, add a new "Content Tab" called "YIM
Cal-Hack" to YIM's current set, then display a dialogue box with one
option, "OK", then open the "YIM Cal-Hack" content, a
quick, 9-click set of instructions to disable the exploit. (Send it to
your friends for a laugh. ;))<br><br>
To see the contents of DemH0.htm, simply remove the Yahoo! redirection
parts of the exploit URL above or load this URL into any
browser:<br><br>
<a href="http://viceconsulting.com/cons/servs/infosec/yimvul001/DemH0.htm" eudora="autourl">http://viceconsulting.com/cons/servs/infosec/yimvul001/DemH0.htm</a>
<br><br>
Note, however, that to completely remove the "YIM Cal-Hack" (before the user's next YIM upgrade a minor Windows registry edit is needed: simply exit YIM; "Find" the text string "YMSGR_test" or "YIM Cal-Hack", using Start-> Run->regedit->Edit->Find; then delete the YMSGR_test key; exit regedit; and restart YIM.<br><br>
Note also that DemH0.htm is not a standard HTML file -- though it calls three other standard HTML files. Instead, DemH0.htm contains only YIM- specific tags. In fact, if you insert the normal HTML opening tags, "<html> <head><script>...", the exploit will not work and YIM will simply respond with a dialogue box stating, "Error adding view... The view format is invalid." -- as demonstrated by this URL:<br><br>
ymsgr:addview?http://rd.yahoo.com/messenger/?http://viceconsulting.com/cons/servs/infosec/yimvul001/DemH0.not.htm<br><br>
<br>
05. Threat Significance<br><br>
Vulnerability #2 (above) demonstrates how potential attackers could replace or even visually replicate almost any YIM content and insert scripts into their own HTML that could be used to do almost anything on a YIM users machine. For example, it would not be too difficult to modify the demonstration exploit above to request a YIM user's ID and password and send it to any email address or Internet URL.<br><br>
Minimum user intervention is required to exploit these vulnerabilities. Modifications of the ymsgr URLs provided could readily be hidden in HTML pages or emails with text or images enticing YIM users to click on them. Further, scripts could be used to load such ymsgr-exploit URLs into pop-up browser windows with no direct user intervention.<br><br>
Given there are now somewhere between 13-65 million Yahoo! Messenger users worldwide (as described in the Summary above), the potential impact of this vulnerability poses a highly significant threat to users who do not soon upgrade their Yahoo! Messenger clients.<br><br>
<br>
06. Credits:<br><br>
VICE Consulting, Technical: Phuong Nguyen<br>
VICE Consulting, Editorial: AD Marshall<br>
=======================================================================<br><br>
*--------------------------------------------------*<br>
AD Marshall, VietInfoComm&Edu [VICE]-8 Consulting<br>
Vietnam Information Communications & Education<br>
eMail: <a href="mailto:ADMarshall@VICEConsulting.Com" eudora="autourl">MailTo:ADMarshall@VICEConsulting.Com</a> <br>
Post: 8A/G8 Don Dat, Q.1, TpHCM, VietNam<br>
Web: <a href="http://www.viceconsulting.com/" eudora="autourl">HTTP://WWW.VICEConsulting.Com</a><br>
Linux Registered User #251932<br>
Cell: +84 (0)903871313<br>
*--------------------------------------------------*<br>
*--- Linux Users Counter - VietNam (Vie^.t Nam) ---*<br>
*---- <a href="http://counter.li.org/bycountry/VN.html" eudora="autourl">http://counter.li.org/bycountry/VN.html</a> -----*<br><br>
</html>
--=====================_789734017==_.ALT--
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed