[ISN] Yahoo! Messenger! multiple! vulns!

From: InfoSec News (isnat_private)
Date: Wed May 29 2002 - 02:48:28 PDT

  • Next message: InfoSec News: "Re: [ISN] Chinese crackers prepare for cyber war"

    http://www.theregister.co.uk/content/55/25466.html
    
    By Thomas C Greene in Washington
    Posted: 28/05/2002 at 09:08 GMT
    
    There are two new Yahoo Instant Messenger (YIM) vulnerabilities which 
    can potentially compromise a user's machine, Vietnamese researcher 
    Phuong Nguyen has discovered. Yahoo! has been notified and a fixed 
    version is available for download here. 
    
    First up, an unchecked buffer which enables any URL beginning with 
    'ymsgr:' to call ypager.exe, crash it and run malicious code if the 
    messenger is integrated with the browser. All that's needed is 268 
    bytes to overflow the buffer, and exploit code can be loaded with the 
    user's level of privilege. The 'call', 'sendim', 'getimv', 'chat', 
    'addview' and 'addfriend' function calls can be exploited, Nguyen 
    says. 
    
    Next up a problem with the 'addview' feature which enables the 
    messenger to view Web content on its own. This is vulnerable to freaky 
    URLs and malicious JavaScript and VB script. Yahoo! content can be 
    duplicated and malicious scripts embedded in the HTML to give an 
    attacker numerous means to exploit a target. See Nguyen's original 
    advisory for links to a couple of simple demonstrations (which I've 
    not verified). Yahoo! has removed this particular 'feature' in the 
    fixed version pending further engineering magic to make it safe, 
    Nguyen says. 
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed May 29 2002 - 06:24:39 PDT