Full Disclosure mailing list archives
Re: RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow
From: "Tri Huynh" <trihuynh () zeeup com>
Date: Fri, 5 Dec 2003 00:51:59 -0800
Wooh ! You spent all your time to register a new email account http://profiles.yahoo.com/deblanc01 just to say this ? You must be Kristian Hermanson or someone in the VNSEC mailing list that I am the moderator. Anyway, I gonna release more Yahoo bugs (most of them are lame bugs actually, but need to be patched) next couple weeks so if you alredy found anything now, try to release them all before too late :-). By the way, if you say you found the yauto.dll bug, i know there is an interesting point in exploiting this bug, can you give some insights in how to exploit it ? To Kristian, you used to be a nice guy, but not anymore though. I feel bad for you, you behave like a kid lately. I can't believe that my post lead to a bunch of unrelated discussions. What is funny to me is this a lame bug and i don't feel proud about it. I think this bug is mostly an embarrassment for Yahoo for not doing QA properly. btw, does anybody here watch the new MTV show "Rich girls" ?, it sucks really bad, the show is also another case of not doing QA correctly. :-) Trihuynh Sentryunion ----- Original Message ----- From: "De Blanc" <deblanc01 () yahoo com> To: <full-disclosure () lists netsys com> Cc: <bugtraq () securityfocus com> Sent: Wednesday, December 03, 2003 11:16 PM Subject: Re: [Full-disclosure] RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow
Yeah! Yahoo is sux. Yahoo Messenger has tons of bugs. But you are more sux than yahoo since you stole my work and posted my found bug to yahoo and bugtraq. Funny enough when your little company SentryUnion is trying to sell "Indetify Theft" protection service but you got owned, stole mail and money from your paypal account, logged everything your chatted with gf via one another yahoo messenger 0day. Stop leaking and killing my bug kid. Go to school to learn more. The Blanc <trihuynh () zeeup com> wrote:Hi all, This bug is a lame bug, very lame actually. I releaseit in order toshow that how a big company don't even do a basic QA.If we look throughthe security records of YIM, almost any YIM'sActiveX/Comcomponents do have some kind of buffer overflow andit is very easyto spot them too (by fuzzing the IDispatchinterface). I have no ideahow can QA guys in the YIM project can manage to letthesedangerous bugs survival through the testing state.Maybe theyare so busy watching the new "Joe Millionaire" show:-))))Trihuynh Sentryunion -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] OnBehalf Of Tri HuynhSent: Wednesday, December 03, 2003 10:07 To: full-disclosure () lists netsys com;bugtraq () securityfocus comCc: bugs () securitytracker com; news () securiteam com;vuln () secunia comSubject: [Full-disclosure] Yahoo Instant MessengerYAUTO.DLL buffer overflowYahoo Instant Messenger YAUTO.DLL buffer overflow ================================================= PROGRAM: Yahoo Instant Messenger (YIM) HOMEPAGE: http://messenger.yahoo.com VULNERABLE VERSIONS: 5.6.0.1347 and below DESCRIPTION ================================================= YIM is one of the most popular instant messenger.This is a cool product,that allows me to chat with my gf from a very longdistant :-).DETAILS ================================================= YAUTO.DLL is an ActiveX/COM component that comes withYahoo InstallMessenger. YAUTO.DLL is registered under a ProgIDcalled "YAuto.NSAuto.1".In this component, there is a function namedOpen(String Url) that willcause a buffer overflow if argument Url is passedwith a long string. Sincethis is an ActiveX component, the vulnerability canbe exploited just bymaking a website with the correct CLSID of theActiveX and call the functiondirectly. We have successfully exploited thevulnerability by making awebsite that can download a trojan and execute itsilently.WORKAROUND ================================================= Yahoo has been contacted atenterprisesales () yahoo-inc com (this is the onlyemail that I can find on the Yahoo Messenger Site)but doesn't responseafter 1 month. The workaround solution is deletingthe YAUTO.DLL file inyour YIM directory. CREDITS ================================================= Discovered by Tri Huynh from SentryUnion DISLAIMER ================================================= The information within this paper may change withoutnotice. Use of thisinformation constitutes acceptance for use in an ASIS condition. There areNO warranties with regard to this information. In noevent shall the authorbe liable for any damages whatsoever arising out ofor in connection withthe use or spread of this information. Any use ofthis information is at theuser's own risk. FEEDBACK ================================================= Please send suggestions, updates, and comments to:trihuynh () zeeup com_______________________________________________ Full-Disclosure - We believe in it. Charter:http://lists.netsys.com/full-disclosure-charter.html-------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ . _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html__________________________________ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Yahoo Instant Messenger YAUTO.DLL buffer overflow Tri Huynh (Dec 02)
- RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow Kristian Hermansen (Dec 02)
- Re: Yahoo Instant Messenger YAUTO.DLL buffer overflow Dave Sherohman (Dec 03)
- Re: Yahoo Instant Messenger YAUTO.DLL buffer overflow Marc Bejarano (Dec 09)
- <Possible follow-ups>
- RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow trihuynh () zeeup com (Dec 03)
- Re: RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow De Blanc (Dec 03)
- RE: RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow Kristian Hermansen (Dec 04)
- Re: RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow Tri Huynh (Dec 04)
- RE: RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow Kristian Hermansen (Dec 04)
- RE: RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow dave kleiman (Dec 04)
- RE: RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow List Account (Dec 04)
- RE: RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow Kristian Hermansen (Dec 04)
- Re: RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow Boris Veytsman (Dec 04)
- RE: RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow dave kleiman (Dec 04)
- RE: RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow Kristian Hermansen (Dec 04)
- Re: RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow Exibar (Dec 04)
- RE: RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow Kristian Hermansen (Dec 04)
- (Was: Re: Yahoo Instant Messenger YAUTO.DLL buffer overflow) Cael Abal (Dec 04)
- RE: (Was: Re: Yahoo Instant Messenger YAUTO.DLL buffer overflow) Kristian Hermansen (Dec 04)
- Re: RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow Exibar (Dec 04)