Full Disclosure mailing list archives
RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow
From: "trihuynh () zeeup com" <trihuynh () zeeup com>
Date: Wed, 3 Dec 2003 12:34:45 -0500
Hi all, This bug is a lame bug, very lame actually. I release it in order to show that how a big company don't even do a basic QA. If we look through the security records of YIM, almost any YIM's ActiveX/Com components do have some kind of buffer overflow and it is very easy to spot them too (by fuzzing the IDispatch interface). I have no idea how can QA guys in the YIM project can manage to let these dangerous bugs survival through the testing state. Maybe they are so busy watching the new "Joe Millionaire" show :-)))) Trihuynh Sentryunion -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Tri Huynh Sent: Wednesday, December 03, 2003 10:07 To: full-disclosure () lists netsys com; bugtraq () securityfocus com Cc: bugs () securitytracker com; news () securiteam com; vuln () secunia com Subject: [Full-disclosure] Yahoo Instant Messenger YAUTO.DLL buffer overflow Yahoo Instant Messenger YAUTO.DLL buffer overflow ================================================= PROGRAM: Yahoo Instant Messenger (YIM) HOMEPAGE: http://messenger.yahoo.com VULNERABLE VERSIONS: 5.6.0.1347 and below DESCRIPTION ================================================= YIM is one of the most popular instant messenger. This is a cool product, that allows me to chat with my gf from a very long distant :-). DETAILS ================================================= YAUTO.DLL is an ActiveX/COM component that comes with Yahoo Install Messenger. YAUTO.DLL is registered under a ProgID called "YAuto.NSAuto.1". In this component, there is a function named Open(String Url) that will cause a buffer overflow if argument Url is passed with a long string. Since this is an ActiveX component, the vulnerability can be exploited just by making a website with the correct CLSID of the ActiveX and call the function directly. We have successfully exploited the vulnerability by making a website that can download a trojan and execute it silently. WORKAROUND ================================================= Yahoo has been contacted at enterprisesales () yahoo-inc com (this is the only email that I can find on the Yahoo Messenger Site) but doesn't response after 1 month. The workaround solution is deleting the YAUTO.DLL file in your YIM directory. CREDITS ================================================= Discovered by Tri Huynh from SentryUnion DISLAIMER ================================================= The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. FEEDBACK ================================================= Please send suggestions, updates, and comments to: trihuynh () zeeup com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ . _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Yahoo Instant Messenger YAUTO.DLL buffer overflow Tri Huynh (Dec 02)
- RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow Kristian Hermansen (Dec 02)
- Re: Yahoo Instant Messenger YAUTO.DLL buffer overflow Dave Sherohman (Dec 03)
- Re: Yahoo Instant Messenger YAUTO.DLL buffer overflow Marc Bejarano (Dec 09)
- <Possible follow-ups>
- RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow trihuynh () zeeup com (Dec 03)
- Re: RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow De Blanc (Dec 03)
- RE: RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow Kristian Hermansen (Dec 04)
- Re: RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow Tri Huynh (Dec 04)
- RE: RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow Kristian Hermansen (Dec 04)
- RE: RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow dave kleiman (Dec 04)
- RE: RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow List Account (Dec 04)
- RE: RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow Kristian Hermansen (Dec 04)
- Re: RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow Boris Veytsman (Dec 04)
- RE: RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow dave kleiman (Dec 04)
- RE: RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow Kristian Hermansen (Dec 04)
- Re: RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow Exibar (Dec 04)
(Thread continues...)