Security Basics mailing list archives
[ Advisory ] New Yhaoo-Messenger client bug ( Insecure memory management )
From: Hamid.K <elite_netbios () yahoo com>
Date: 25 May 2004 22:33:51 -0000
Hi list . after sending two posts to Yahoo Inc. and receiving no replay I decided to post here . =|------------------------------------------------------------- =| Program : YIM-Client ( Yahoo Instant Messengerclient ) =| =| vulnerable versions : new Beta release , 5.6.x and =| prior =| =| Flaw : Insecure memory management which can . . . =| =|--------------------------------------------------------------- =| =| Description : =| =| Yahoo Messenger is an instant-messaging system =| ,which =| is =| one of popular systems in it`s kind . =| the login process to the server systems is protected =| by a user ID and a =| password . the YIM client have ability to store your =| password so you =| don`t need to type it each time . =| =| The stored encoded password is saved on registry =| which =| is already talked about =| and there are many programs available to decode the =| stored "Eoption String " . =| =| due to the insecure way , yahoo manage the stored =| password , =| it`s possible to extract the clear-text saved =| password from the memory space of =| the YIM client . there is really no protection on =| stored password in memory =| and due to the way OS treat memory , =|( No protection at user-level permissions ) =| =| ANY low privileged user can dump the password from =| memory . there is no access =| required to registry or the program itself . =| =| there are many ways to abuse this . but my nasty =| idea is using this vulnerability in one of famous windows =| exploited bugs like the lsass staff , and make the =| remote-shell-string it return us the stored =| password in memory of remote system . =| =| It`s possible to do that cus the password is stored =| in =| a static place of memory =| and on my system ( 5.6.x versions ) , it is (00F341B0) . =| I hadn`t chance to install the new beta version to =| get =| the memory address . =| =| there are also MANY other applications vulnerable to =| this kind of =| bug . =| =| =| =| here is the advisory I sent to yahoo =| ========================= =| Hello Yahoo-Messenger crew =| =| Yahoo-Messenger ( current version ) , have a security =| flaw , which let the attacker ,extract stored password of =| YIM-client from the memory space of loaded program . =| the password is available in clear-text into a static =| specific memory address ,which let an attacker to read the =| password from memory . =| 5.6.0.1339 was the version of client I`ve tested . =| but seems this flaw is exist on previous versions too . =| =| =| Not like other methods to extract the stored =| password ,like the stored encoded-password =| in registry , this way does NOT need any sort of =| decode / decryption to gain access to the =| stored password . it`s stored in clear-text . =| =| The stored password can be find at this address . =| the beginning address is : =| 00F341B0 in memory space of loaded YIM-client . =| =| sample : =| load yahoo messenger client , with save-password enabled . =| then run the WinHex program , attempt to read from RAM =| select the YIM client process and load it`s entire used =| memory . =| by looking at mentioned address ( 00F341B0 ) , =| you`ll see the clear-text password you`ve stored on your client . =| =| =| Hamid Kashfi =| May 18 2004 =| =| =| =| ========== =| finally sorry for poor English :-p =| EOF. =| =| =| =| =| __________________________________ --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- [ Advisory ] New Yhaoo-Messenger client bug ( Insecure memory management ) Hamid . K (May 26)