Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Possible Yahoo Messenger security issues

From: Curt Wilson <cwsecgeek () yahoo com>
Date: 7 Jan 2002 06:35:40 -0000

In-Reply-To: <20020104192111.15122.qmail () mail securityfocus com>

This appears to just be a webserver used by Yahoo 
IM to xfer files; check your IM preferences for file xfer 
options (which includes a path to virus scanner 
executable). The default port appears to be port 80 so 
Code Red, Nimda and all usual scans will be hitting 
this baby and showing up in the Yserver.log. There 
could be some options for attack here but I've yet to 
explore them. I tried to manually grab a file using the 
fomat shown in Yserver.log; I sent a file to myself and 
it looks like the file was checked first (Head 
image/jpeg) and then sent. Myname618 is my 
(sanitized) yahoo email address, not sure what the 
1010383053484 is, but acid_test.jpg is the file I sent. 
Could be some options for something other 
than /Messenger as the initial connection string and 
AppID=Messenger. Could be a way to spoof 
usernames here; not sure what the K=lc9lid is in this 
case, needs more analysis when I have more time.

The HEAD request:

01/06/102 23:57:42.593  01/06/102 23:57:42.625
        00:00:00.032    192.168.1.2
        Head    image/jpeg
        /Messenger.myname618.1010383053484ac
id_test.jpg     200     0       .jpg
        HEAD /Messenger.myname618.101038305
3484acid_test.jpg?
AppID=Messenger&UserID=myname618&K=lc9lid 
HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.01 [en] (Win95; I)
Host: 192.168.1.2
Content-Length: 0
Cache-Control: no-cache

The GET request:

01/06/102 23:57:42.640  01/06/102 23:57:42.796
        00:00:00.156    192.168.1.2     Get
        image/jpeg
        /Messenger.myname618.1010383053484ac
id_test.jpg     200     249051  .jpg
        GET /Messenger.myname618.1010383053
484acid_test.jpg?
AppID=Messenger&UserID=myname618&K=lc9lid 
HTTP/1.1
User-Agent: Mozilla/4.01 [en] (Win95; I)
Host: 192.168.1.2
Connection: Keep-Alive

I tried a basic directory traversal, as well as manually 
pasting one of the requests from the logfiles into 
a "telnet localhost 80" and received this:

HTTP/1.0 550 Failed on redirect
Server: Y!

Running Yserver.exe directly brings up a "Component 
Server" window.

The only intelligble strings I can see from viewing the 
EXE are

 .text
.rdata
.data
.rsrc

Probably some room for explotation somewhere in 
here, but I don't have time to mess with it. Have fun, 
let me know what you come up with if anything.

CWsecgeek
Previous By Date Next
Previous By Thread Next

Current thread: