Vulnerability Development mailing list archives

Yahoo pager

From: Blake Frantz <blake () MAIL MC NET>
Date: Wed, 30 Aug 2000 14:51:59 -0500

All,

I don't know if this applies to the list or if it is even exploitable by
adding hostile code at the end of the URL.  I bring it up because of the
popularity of Yahoo Messenger.

When a URL is presented that exceeds 1024 characters, Yahoo messenger
creates an application exception (Number c0000005, access violation).

I tested this on:

Yahoo Messenger 3,0,0,770
MyYahoo Module 2,0,0,348

on

Windows 2000 Professional 5.000.2195.

and YM generated the exception.

I tested another box:

Yahoo Messenger 3,0,0,769
MyYahoo Module 2,0,0,344

on

Windows 98 SE 4.10.2222 A

and nothing significant happened.

This is what Dr. Watson Logs Say on the Win2K Box:
(the bottom of the log has the state dump)

<snip>
Application exception occurred:
        App:  (pid=1268)
        When: 8/30/2000 @ 00:06:54.717
        Exception number: c0000005 (access violation)

*----> System Information <----*
        Computer Name: PENNY
        User Name: Administrator
        Number of Processors: 1
        Processor Type: x86 Family 6 Model 5 Stepping 2
        Windows 2000 Version: 5.0
        Current Build: 2195
        Service Pack: None
        Current Type: Uniprocessor Free
        Registered Organization: XXXXXXXXX
        Registered Owner: XXXXXXXX

*----> Task List <----*
   0 Idle.exe
   8 System.exe
 132 smss.exe
 160 csrss.exe
 180 winlogon.exe
 208 services.exe
 220 lsass.exe
 380 svchost.exe
 408 SPOOLSV.exe
 440 svchost.exe
 476 regsvc.exe
 492 mstask.exe
 528 snmp.exe
 576 winmgmt.exe
 612 inetinfo.exe
 736 explorer.exe
 992 winampa.exe
1140 3cshtdwn.exe
1152 3cmlink.exe
1224 MDM.exe
 548 OUTLOOK.exe
 716 ntvdm.exe
1212 IEXPLORE.exe
1268 YPager.exe
1300 drwtsn32.exe
   0 _Total.exe

(00400000 - 0048D000)
(77F80000 - 77FF9000)
(77E80000 - 77F36000)
(77E10000 - 77E75000)
(77F40000 - 77F7C000)
(76B30000 - 76B6E000)
(77C70000 - 77CBA000)
(77DB0000 - 77E0A000)
(77D40000 - 77DAF000)
(77B50000 - 77BDA000)
(775A0000 - 777E0000)
(78000000 - 78046000)
(77A50000 - 77B45000)
(65340000 - 653D5000)
(77820000 - 77827000)
(759B0000 - 759B6000)
(77570000 - 775A0000)
(75050000 - 75058000)
(75030000 - 75044000)
(75020000 - 75028000)
(10000000 - 10010000)
(00230000 - 00239000)
(012E0000 - 0131F000)
(77CC0000 - 77D40000)
(01640000 - 01669000)
(63000000 - 63073000)
(76B20000 - 76B25000)
(772B0000 - 7731C000)
(01950000 - 01979000)
(71500000 - 71611000)
(77850000 - 7788C000)
(770C0000 - 770E3000)
(76D90000 - 76DE3000)
(1A400000 - 1A472000)
(75D50000 - 75DD2000)
(70000000 - 70242000)
(4A000000 - 4A02C000)
(4AA00000 - 4AA15000)
(02510000 - 0252D000)
(02860000 - 0287B000)
(02990000 - 029A8000)
(774E0000 - 77512000)
(774C0000 - 774D1000)
(77530000 - 77552000)
(77830000 - 7783E000)
(77520000 - 77525000)
(77C10000 - 77C6D000)
(75170000 - 751BF000)
(77BE0000 - 77BEF000)
(751C0000 - 751C6000)
(75150000 - 7515F000)
(77950000 - 77979000)
(77980000 - 779A4000)
(77840000 - 7784C000)
(75AC0000 - 75AE8000)
(777E0000 - 777E8000)
(777F0000 - 777F5000)
(74FD0000 - 74FE1000)
(75010000 - 75017000)
(75E60000 - 75E7A000)
(77560000 - 77569000)
(77400000 - 77408000)
(77410000 - 77423000)

State Dump for Thread Id 0x4e4

eax=00000001 ebx=0018da51 ecx=0012fe88 edx=77e694a0 esi=0012f958
edi=00000daf
eip=61616161 esp=0012e7e8 ebp=61616161 iopl=0         nv up ei pl zr na po
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000
efl=00000246

function: <nosymbols>

</snip>

Current thread:

Yahoo pager Blake Frantz (Aug 30)
- <Possible follow-ups>
- Re: Yahoo pager Blake Frantz (Aug 30)
  - Re: Yahoo pager Bluefish (P.Magnusson) (Aug 31)
  - Re: Yahoo pager Sean Michael Whipkey (Aug 31)
- Re: Yahoo pager Frantz, Blake (Aug 31)