[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Finjan Software Discovers a New Critical Vulnerability In Yahoo E-mail Service

To: <full-disclosure@lists.netsys.com>
Subject: [Full-Disclosure] Finjan Software Discovers a New Critical Vulnerability In Yahoo E-mail Service
From: "Menashe Eliezer" <menashe@finjan.com>
Date: Sun, 14 Dec 2003 15:18:24 +0200

Yahoo E-mail Service Vulnerability

Release Date:  December 10, 2003

Severity: Critical (Potential web-based e-mail worm)

Systems Affected:

Other web-based e-mail systems may be vulnerable.

Internet Explorer and any software application used for reading Yahoo e-mail 
messages.

Status:

Yahoo,Excite and Outblaze (Mail.com) have already patched their Web-based 
e-mail services. Other web-based e-mail systems may be vulnerable.

 

Description:

Finjan Software identified a malicious script execution security vulnerability 
in Yahoo's Web-based e-mail service. This vulnerability had the potential to 
allow malicious hackers to automatically launch a worm or malicious mobile code 
attack upon the opening of an e-mail message. The vulnerability was reported to 
Yahoo and has been fixed. Malicious Script Execution flaws allow a malicious 
hacker to input malicious script into a seemingly normal e-mail message. A 
computer user opening an e-mail message containing an embedded malicious script 
could automatically be hit with a malicious code attack if scripting has been 
enabled on the Web browser. Malicious script can be written in various 
languages including Java, JavaScript, VB Script, Active X, and HTML. 

In addition to destroying files, malicious code attacks have the ability to 
steal personal information such as usernames, passwords, credit card numbers, 
and any other information a user inputs into the computer. It can also expose 
restricted parts of a local area network, such as an Intranet, to the public.

"Web-based e-mails have become very popular due to its ability to provide 
access to one's e-mail messages from any computer connected to the Internet," 
said Brian Burke, program manager at IDC. "Malicious hackers are always looking 
at ways to gain unauthorized access to personal information of their victims 
for various reasons and Web e-mail services are certainly a potential target." 
Other web-based e-mail systems may be vulnerable to this vulnerability. 
Additional information about the malicious script execution security flaw can 
be found at: http://www.kb.cert.org/vuls/id/707100

 

Technical details:

This was a cross-site scripting vulnerability of the Yahoo! Web-based e-mail 
service. The purpose of Yahoo's active content filter is to block the injection 
of any active content into Yahoo! messages. However, the basic failure that 
allowed this vulnerability is that there was no blocking of a double encoding. 
Yahoo's filter removed only the first instance.

MCRC has inserted malformed encoded style to the 'input' HTML tag, using 
several known encoding methods.

For example: 

<input type="text" size=80 value="XSS Yahoo Mail" style="\000062 
ackground-image:url('java\73 crip\t\3A ... 

The 'input' tag can be used to call a JavaScript file.

The injected JavaScript code is responsible for:

-Automatic launching of malicious code.

-Getting personal information of users in Yahoo! address book and creating a 
detailed commercial database to be used by spammers. (using the known cookies 
decoder tool, created by i_n_f_o_w_a_r@hotmail.com)

-Identity theft using a spoofed re-login window (suggested by 
http-equiv@malware.com).

-Read and Disclose User inbox & contacts.

-Sending an e-mail message.

The JavaScript code has been used for creating demos, but Finjan Software won't 
reveal this source code.

The ActiveX control could have been used for a destructive payload of the 
propagating worm. It also allows propagation to non-Yahoo users.

The basic attack does not require an ActiveX control. The ActiveX control is 
the payload that can be used to extend the attack to non-web mail users, or to 
perform any malicious activity, including formatting of the hard disk

Upon using the ActiveX control, end user may get a security warning. It depends 
on the security setting of the browser. An example: 
http://www.finjan.com/mcrc/demos/activex.cfm (Click on the 'test me' button 
after reading the disclaimer)

The initial tip was received from "stardust (hoshikuzu)".

 

Protection:

This specific vulnerability has been eliminated by Yahoo based on Finjan 
Software notification. Finjan's content security products: SurfinGate for Web, 
SurfinGate

for E-mail, SurfinShield Corporate and SurfinGuard Pro, provided proactive 
defense against this Yahoo vulnerability prior to its detection and correction.

Finjan's patented behavior inspection engine will protect computer users from 
similar future vulnerabilities and comparable potential exploits.

 

Credit: stardust (hoshikuzu), Dror Shalev and Menashe Eliezer.

 

Finjan Software MCRC

http://www.finjan.com/mcrc

Prevention is the best cure!

Prev by Date: Re: [Full-Disclosure] A new TCP/IP blind data injection technique?
Next by Date: [Full-Disclosure] lftp buffer overflows
Previous by thread: [Full-Disclosure] Finjan Software Discovers a New Critical Vulnerability In Yahoo E-mail Service
Next by thread: RE: [Full-Disclosure] The *real* reason the pivx unpatched IE fla ws page was taken offline?
Index(es):
- Date
- Thread