Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow

From: "Tri Huynh" <trihuynh () zeeup com>
Date: Fri, 5 Dec 2003 00:51:59 -0800
Wooh ! You spent all your time to register a new email account
http://profiles.yahoo.com/deblanc01 just to say this ? You
must be Kristian Hermanson or someone in the VNSEC mailing
list that I am the moderator. Anyway, I gonna release more
Yahoo bugs (most of them are lame bugs actually, but need to be patched)
next couple weeks so if you alredy found anything now, try to release
them all before too late :-). By the way, if you say you found the yauto.dll
bug, i know there is an interesting point in exploiting this bug, can you
give
some insights in how to exploit it ?

To Kristian, you used to be a nice guy, but not anymore though. I feel bad
for you,
you behave like a kid lately.

I can't believe that my post lead to a bunch of unrelated discussions. What
is
funny to me is this a lame bug and i don't feel proud about it. I think this
bug
is mostly an embarrassment for Yahoo for not doing QA properly. btw,
does anybody here watch the new MTV show "Rich girls" ?, it sucks really
bad,
the show is also another case of not doing QA correctly. :-)

Trihuynh
Sentryunion



----- Original Message ----- 
From: "De Blanc" <deblanc01 () yahoo com>
To: <full-disclosure () lists netsys com>
Cc: <bugtraq () securityfocus com>
Sent: Wednesday, December 03, 2003 11:16 PM
Subject: Re: [Full-disclosure] RE: Yahoo Instant Messenger YAUTO.DLL buffer
overflow



Yeah! Yahoo is sux. Yahoo Messenger has tons of bugs.
But you are more sux than yahoo since you stole my
work and posted my found bug to yahoo and bugtraq.
Funny enough when your little company SentryUnion is
trying to sell "Indetify Theft" protection service but
you got owned, stole mail and money from your paypal
account, logged everything your chatted with gf via
one another yahoo messenger 0day.

Stop leaking and killing my bug kid. Go to school to
learn more.

The Blanc

<trihuynh () zeeup com> wrote:

Hi all,
This bug is a lame bug, very lame actually. I release

it in order to

show that how a big company don't even do a basic QA.

If we look through

the security records of YIM, almost any YIM's

ActiveX/Com

components do have some kind of buffer overflow and

it is very easy

to spot them too (by fuzzing the IDispatch

interface). I have no idea

how can QA guys in the YIM project can manage to let

these

dangerous bugs survival through the testing state.

Maybe they

are so busy watching the new "Joe Millionaire" show

:-))))

Trihuynh
Sentryunion
-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On

Behalf Of Tri Huynh

Sent: Wednesday, December 03, 2003 10:07
To: full-disclosure () lists netsys com;

bugtraq () securityfocus com

Cc: bugs () securitytracker com; news () securiteam com;

vuln () secunia com

Subject: [Full-disclosure] Yahoo Instant Messenger

YAUTO.DLL buffer overflow


Yahoo Instant Messenger YAUTO.DLL buffer overflow
=================================================
PROGRAM: Yahoo Instant Messenger (YIM)
HOMEPAGE: http://messenger.yahoo.com
VULNERABLE VERSIONS: 5.6.0.1347 and below

DESCRIPTION
=================================================
YIM is one of the most popular instant messenger.

This is a cool product,

that allows me to chat with my gf from a very long

distant :-).


DETAILS
=================================================
YAUTO.DLL is an ActiveX/COM component that comes with

Yahoo Install

Messenger. YAUTO.DLL is registered under a ProgID

called "YAuto.NSAuto.1".

In this component, there is a function named

Open(String Url) that will

cause a buffer overflow if argument Url is passed

with a long string. Since

this is an ActiveX component, the vulnerability can

be exploited just by

making a website with the correct CLSID of the

ActiveX and call the function

directly. We have successfully exploited the

vulnerability by making a

website that can download a trojan and execute it

silently.


WORKAROUND
=================================================
Yahoo has been contacted at

enterprisesales () yahoo-inc com (this is the only

email that I can find on the Yahoo Messenger Site)

but doesn't response

after 1 month. The workaround solution is deleting

the YAUTO.DLL file in

your YIM directory.

CREDITS
=================================================
Discovered by Tri Huynh from SentryUnion

DISLAIMER
=================================================
The information within this paper may change without

notice. Use of this

information constitutes acceptance for use in an AS

IS condition. There are

NO warranties with regard to this information. In no

event shall the author

be liable for any damages whatsoever arising out of

or in connection with

the use or spread of this information. Any use of

this information is at the

user's own risk.

FEEDBACK
=================================================
Please send suggestions, updates, and comments to:

trihuynh () zeeup com

_______________________________________________
Full-Disclosure - We believe in it.
Charter:

http://lists.netsys.com/full-disclosure-charter.html



--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: