[ Advisory ] New Yhaoo-Messenger client bug ( Insecure memory management )

[Hamid.K <elite_netbios () yahoo com>]

Hi list .
  
 after sending two posts to Yahoo Inc. and receiving
 no replay I decided to post here .
  
=|-------------------------------------------------------------
=| Program : YIM-Client ( Yahoo Instant Messengerclient )
=|  
=| vulnerable versions :  new Beta release , 5.6.x and
=| prior
=|  
=| Flaw : Insecure memory management which can . . .
=|  
=|---------------------------------------------------------------
=|  
=| Description :
=|  
=| Yahoo Messenger is an instant-messaging system
=| ,which
=| is
=| one of popular systems in it`s kind .
=| the login process to the server systems is protected
=| by a user ID and a
=| password . the YIM client have ability to store your
=| password so you
=| don`t need to type it each time .
=|  
=| The stored encoded password is saved on registry
=| which
=| is already talked about
=| and there are many programs available to decode the
=| stored "Eoption String " .
=|  
=| due to the insecure way , yahoo manage the stored
=| password ,
=| it`s possible to extract the clear-text saved
=| password from the memory space of
=| the YIM client . there is really no protection on
=| stored password in memory 
=| and due to the way OS treat memory , 
=|( No protection at user-level permissions )
=|
=| ANY low privileged user can dump the password from
=| memory . there is no access
=| required to registry or the program itself .
=|  
=| there are many ways to abuse this . but my nasty
=| idea is using this vulnerability in one of famous windows
=| exploited bugs like the lsass staff , and make the
=| remote-shell-string it return us the stored
=| password in memory of remote system .
=|  
=| It`s possible to do that cus the password is stored
=| in
=| a static place of memory
=| and on my system ( 5.6.x versions ) , it is (00F341B0) . 
=| I hadn`t chance to install the new beta version to
=| get
=| the memory address .
=|  
=| there are also MANY other applications vulnerable to
=| this kind of
=| bug . 
=|  
=|  
=|  
=| here is the advisory I sent to yahoo
=| =========================
=| Hello Yahoo-Messenger crew
=|  
=| Yahoo-Messenger ( current version ) , have a security
=| flaw , which let the attacker ,extract stored password of 
=| YIM-client from the memory space of loaded program .
=| the password is available in clear-text into a static
=| specific memory address ,which let an attacker to read the
=| password from memory .
=| 5.6.0.1339 was the version of client I`ve tested .
=| but seems this flaw is exist on previous versions too .
=|  
=|  
=| Not like other methods to extract the stored
=| password ,like the stored encoded-password
=| in registry , this way does NOT need any sort of
=| decode / decryption to gain access to the
=| stored password . it`s stored in clear-text .
=|  
=| The stored password can be find at this address .
=| the beginning address is :
=| 00F341B0  in memory space of loaded YIM-client . 
=|  
=| sample :
=| load yahoo messenger client , with save-password enabled .
=| then run the WinHex program , attempt to read from RAM
=| select the YIM client process and load it`s entire used
=| memory .
=| by looking at mentioned address ( 00F341B0 ) ,
=| you`ll see the clear-text password you`ve stored on your client .
=|  
=|  
=| Hamid Kashfi
=| May 18 2004
=|  
=|  
=|  
=| ==========
=| finally sorry for poor English :-p
=| EOF.
=| 
=| 
=|  
=|   
=| __________________________________

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------