Yahoo! Assistant (3721) ActiveX Remote Code Execution Vulnerability By Sowhat of Nevis Labs Date: 2008.05.06 http://www.nevisnetworks.com http://secway.org/advisory/AD20080506EN.txt http://secway.org/advisory/AD20080506CN.txt CVE: N/A Vendor Yahoo! CN Affected: Yahoo! Assistant<=3.6 Overview: Yahoo! Assistant, formerly named 3721 Internet Assistant, is a Browser Helper Object for Internet Explorer. It was renamed to Yahoo! Assistant after Beijing 3721 Technology was acquired by Yahoo!. Yahoo! Assistant includes a lot of useful features, such as IE setting repair, security shield, removal of internet history information and blocking ads. http://cn.zs.yahoo.com/ Details: The specific flaws exists in the ynotifier.dll ActiveX control. Succssfully exploiting this vulnerability allows attackers to execute arbitrary code on vulnerable installation. Successful exploitation requires that the target user browse to a malicious web page. During the instantiation of the Ynoifier COM object through IE, there will an exploitable memory corruption condition. (c78.fa0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00e85328 ebx=001ada20 ecx=4080624c edx=00128474 esi=020cb5f0 edi=00000000 eip=43f50743 esp=001283e0 ebp=00128478 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010246 43f50743 ?? ??? Code: 637a8b47 8b45f8 mov eax,[ebp-0x8] 637a8b4a 8b08 mov ecx,[eax] 637a8b4c 8d55fc lea edx,[ebp-0x4] 637a8b4f 52 push edx 637a8b50 6a01 push 0x1 637a8b52 50 push eax 637a8b53 ff5158 call dword ptr [ecx+0x58] ; ds:0023:408062a4=43f50743 The virutal function call at 0x58 is pointed to invalid data. By taking advantage of some heap spraying technique, the attacker can exploit this vulnerability to execute arbitrary code. Proof of Concept: The POC for this vulnerability is quite simple, save the following code as HTML: