Critical Bug In Yahoo! Messenger Webcam Activex

	Critical Bug In Yahoo! Messenger Webcam Activex
	Discussion by tansqrx with 3 Replies. Last Update: June 10, 2007, 5:12 am

tansqrx

This bug first came to light on Information Week’s website yesterday, June 6, 2007 (http://www.informationweek.com/news/showArticle.jhtml?articleID=199901856). The original research group is the well known eEye (http://research.eeye.com/html/advisories/upcoming/20070605.html), which said the vulnerability was serious and could lead to remote code execution. Since the original report it has also been posted by Computer World (http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9023945&intsrc=news_ts_head) that a separate research named “Danny” has released the exploit into the wild. In a follow-up today he also posted a second exploit. All of the discussions can be found at http://lists.grok.org.uk/pipermail/full-di...sure/2007-June/.

Thu Jun 7, 2007 Reply New Discussion

tansqrx

It looks like the fun may be over. Yahoo! has announced the release of a patch to correct the buffer overflow in the webcam ActiveX control. The official Yahoo! annoucment of the patch is located at http://messenger.yahoo.com/security_update.php?id=060707. This is a very quick turn around for Yahoo! as the exploit was only public for three days before a patch was issued. More detail can be found at http://lists.grok.org.uk/pipermail/full-di...une/063875.html. The patch does require you to completely reinstall Messenger and has not been automatically pushed out as of late Friday on June 8, 2007. Since the patch is not automatic the fun may continue for at least a few more days.

Sat Jun 9, 2007 Reply New Discussion

tansqrx

As a public service I decided to create a page that checks for this vulnerability. The start page can be found at http://Ycoderscookbook.com/WebcamExploitWarning.htm.

On June 6, 2007 eEye (http://research.eeye.com/html/advisories/upcoming/20070605.html) security published a report stating the Yahoo! Messenger was susceptible to a buffer overflow. The next day a Yahoo! spokesperson let it slip that the problem was in the webcam ActiveX control that allows a user to display his webcam on a webpage. Shortly after that exploit code was published on the Full Disclosure mailing list (http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/). There are actually two different components that can be exploited, ywcupl.dll (Webcam Upload) and Ywcvwr.dll (Webcam Download).

What to expect
Here you can test to see if you are vulnerable to this particular exploit. Be warned that this may cause the following:
• Crash of web browser
• System becomes unstable
• Antivirus screaming bloody murder
If you are vulnerable then your web browser should crash. I have found that it is more likely to happen in IE than Firefox.

Ywcvwr.dll Runs Calc.exe
This was the first proof of concept. It uses a fairly standard payload that starts the Windows calculator.

ywcupl.dll Runs Freecell.exe
The second proof of concept is certainly much more nasty. It will download a program from anywhere on the Internet and then run that program. In my example I download Free.exe and then run it. Free.exe simply opens a new process for the Free Cell Windows game. Free.exe is written in VB.NET so you will have to have the .NET Framework to run it. Certainly you could use your imagination and see that this is the ultimate exploit.

References
• http://lists.grok.org.uk/pipermail/full-di...une/063875.html
• http://www.informationweek.com/news/showAr...cleID=199901856
• http://www.computerworld.com/action/articl...rc=news_ts_head
• http://lists.grok.org.uk/pipermail/full-di...une/063846.html
• http://www.securityfocus.com/archive/1/470861
• http://blogs.zdnet.com/security/?p=274

Sun Jun 10, 2007 Reply New Discussion