[32772] in bugtraq
Re: Yahoo Instant Messenger YAUTO.DLL buffer overflow
daemon@ATHENA.MIT.EDU (Marc Bejarano)
Wed Dec 10 14:24:11 2003
Message-Id: <6.0.1.1.2.20031209184538.029e2ec0@127.0.0.1>
Date: Tue, 09 Dec 2003 18:48:56 -0400
To: "Tri Huynh" <trihuynh@zeeup.com>
From: Marc Bejarano <bugtraq-post@beej.org>
Cc: <full-disclosure@lists.netsys.com>, <bugtraq@securityfocus.com>,
<bugs@securitytracker.com>, <news@securiteam.com>, <vuln@secunia.com>,
security@yahoo-inc.com
In-Reply-To: <005801c3b974$6d7adfe0$329f8018@youru10ixi0anw>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
yahoo claims to have fixed this problem. latest version is now 5.6.0.1356.
see http://messenger.yahoo.com/security/update4.html
afaik, the "Yahoo Messenger Flaw allows injection of JavaScript into IM
Windows" problem reported to bugtraq by chet simpson on 12/5 remains unfixed.
marc
At 04:06 12/3/2003, Tri Huynh wrote:
>Yahoo Instant Messenger YAUTO.DLL buffer overflow
>=================================================
>
>PROGRAM: Yahoo Instant Messenger (YIM)
>HOMEPAGE: http://messenger.yahoo.com
>VULNERABLE VERSIONS: 5.6.0.1347 and below
>
>
>DESCRIPTION
>=================================================
>
>YIM is one of the most popular instant messenger. This is a cool product,
>that allows me to chat with my gf from a very long distant :-).
>
>
>DETAILS
>=================================================
>
>YAUTO.DLL is an ActiveX/COM component that comes with Yahoo
>Install Messenger. YAUTO.DLL is registered under a ProgID called
>"YAuto.NSAuto.1". In this component, there is a function named
>Open(String Url) that will cause a buffer overflow if argument Url is passed
>with
>a long string. Since this is an ActiveX component, the vulnerability can
>be exploited just by making a website with the correct CLSID of
>the ActiveX and call the function directly. We have successfully exploited
>the vulnerability by making a website that can download a trojan and
>execute it silently.
>
>
>
>WORKAROUND
>=================================================
>
>Yahoo has been contacted at enterprisesales@yahoo-inc.com (this
>is the only email that I can find on the Yahoo Messenger Site) but
>doesn't response after 1 month. The workaround solution is deleting
>the YAUTO.DLL file in your YIM directory.
>
>
>CREDITS
>=================================================
>
>Discovered by Tri Huynh from SentryUnion
>
>
>DISLAIMER
>=================================================
>
>The information within this paper may change without notice. Use of
>this information constitutes acceptance for use in an AS IS condition.
>There are NO warranties with regard to this information. In no event
>shall the author be liable for any damages whatsoever arising out of
>or in connection with the use or spread of this information. Any use
>of this information is at the user's own risk.
>
>
>FEEDBACK
>=================================================
>
>Please send suggestions, updates, and comments to: trihuynh@zeeup.com
