[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Re: Yahoo Instant Messenger YAUTO.DLL buffer overflow

To: "Tri Huynh" <trihuynh@zeeup.com>
Subject: [Full-Disclosure] Re: Yahoo Instant Messenger YAUTO.DLL buffer overflow
From: Marc Bejarano <bugtraq-post@beej.org>
Date: Tue, 09 Dec 2003 18:48:56 -0400

yahoo claims to have fixed this problem. latest version is now 5.6.0.1356.

see http://messenger.yahoo.com/security/update4.html

afaik, the "Yahoo Messenger Flaw allows injection of JavaScript into IM Windows" problem reported to bugtraq by chet simpson on 12/5 remains unfixed.

marc

At 04:06 12/3/2003, Tri Huynh wrote:
>Yahoo Instant Messenger YAUTO.DLL buffer overflow
>=================================================
>
>PROGRAM: Yahoo Instant Messenger (YIM)
>HOMEPAGE: http://messenger.yahoo.com
>VULNERABLE VERSIONS: 5.6.0.1347 and below
>
>
>DESCRIPTION
>=================================================
>
>YIM is one of the most popular instant messenger. This is a cool product,
>that allows me to chat with my gf from a very long distant :-).
>
>
>DETAILS
>=================================================
>
>YAUTO.DLL is an ActiveX/COM component that comes with Yahoo
>Install Messenger. YAUTO.DLL is registered under a ProgID called
>"YAuto.NSAuto.1". In this component, there is a function named
>Open(String Url) that will cause a buffer overflow if argument Url is passed
>with
>a long string. Since this is an ActiveX component, the vulnerability can
>be exploited just by making a website with the correct CLSID of
>the ActiveX and call the function directly. We have successfully exploited
>the vulnerability by making a website that can download a trojan and
>execute it silently.
>
>
>
>WORKAROUND
>=================================================
>
>Yahoo has been contacted at enterprisesales@yahoo-inc.com (this
>is the only email that I can find on the Yahoo Messenger Site) but
>doesn't response after 1 month. The workaround solution is deleting
>the YAUTO.DLL file in your YIM directory.
>
>
>CREDITS
>=================================================
>
>Discovered by Tri Huynh from SentryUnion
>
>
>DISLAIMER
>=================================================
>
>The information within this paper may change without notice. Use of
>this information constitutes acceptance for use in an AS IS condition.
>There are NO warranties with regard to this information. In no event
>shall the author be liable for any damages whatsoever arising out of
>or in connection with the use or spread of this information. Any use
>of this information is at the user's own risk.
>
>
>FEEDBACK
>=================================================
>
>Please send suggestions, updates, and comments to: trihuynh@zeeup.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] Yahoo Instant Messenger YAUTO.DLL buffer overflow
  - From: "Tri Huynh" <trihuynh@zeeup.com>

Prev by Date: RE: [Full-Disclosure] RE: FWD: Internet Explorer URL parsing vulnerability
Next by Date: Re: [Full-Disclosure] RE: FWD: Internet Explorer URL parsing vulnerability
Previous by thread: Re: [Full-Disclosure] Yahoo Instant Messenger YAUTO.DLL buffer overflow
Next by thread: [Full-Disclosure] GLSA: rsync.gentoo.org rotation server compromised (200312-01)
Index(es):
- Date
- Thread