SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Instant Messaging/IRC/Chat)  >   Yahoo Messenger Vendors:   Yahoo
Yahoo! Messenger Download Filename Buffer Overflow May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1008651
SecurityTracker URL:  http://securitytracker.com/id/1008651
CVE Reference:   CVE-2004-0043   (Links to External Site)
Updated:  Jul 6 2008
Original Entry Date:  Jan 8 2004
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  
Version(s): 5.6.0.1351 and prior versions
Description:   Tri Huynh from SentryUnion reported a buffer overflow vulnerability in Yahoo! Messenger. A remote user can send a file to a target user to cause arbitrary code to be executed on the target user's system when the target user attempts to download the file.

It is reported that a specially crafted long filename can trigger the flaw. Arbitrary code execution may be possible.

As a demonstration exploit, the report indicates that you can send a file with the following type of filename:

test<insert around 210 spaces here>.jpg

The author notes that this flaw is different from the filename-related flaw reported in October 2003 [Editor's note: See Alert ID 1008008].

Impact:   A remote user may be able to cause arbitrary code to be executed on the target user's system when the target user attempts to download a file. The code will run with the privileges of the target user.
Solution:   It is reported that the flaw has been corrected in version 5.6.0.1358 but that the vendor has not disclosed the security issue. According to the report, existing users of vulnerable 5.6 versions cannot upgrade to the new version unless they reinstall the product.
Vendor URL:  messenger.yahoo.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Yahoo Instant Messenger Long Filename Downloading Buffer Overflow


Yahoo Instant Messenger Long Filename Downloading Buffer Overflow
  =================================================

  PROGRAM: Yahoo Instant Messenger (YIM)
  HOMEPAGE: http://messenger.yahoo.com
  VULNERABLE VERSIONS: 5.6.0.1351 and below


  DESCRIPTION
  =================================================

  YIM is one of the most popular instant messengers. This is a cool product
that supports many  useful features like audio/video chatting, file
transferring...

Fore more details about the product, please go to http://messenger.yahoo.com

  DETAILS
  =================================================

By sending a specially crafted long filename to a user, an attacker can
cause a buffer overflow when the user's YIM tries to download the file
from the server. (No need to run the file).

For a fast demonstration, you can create a file like this
  "test<insert around 210 spaces here>.jpg" and send it to
another user and ask her to download it.

Because this is a buffer overflow, there is always a possibility to
run malicious code on the user's machine.

NOTE : This vulnerability is different from the one was discovered by
Hat-Squad team in October.


  WORKAROUND
  =================================================

Yahoo has been contacted at security@yahoo-inc.com and I got no response
except that they said the are looking to it...and here is the interesting
story on how
Yahoo handle it (after my little investigation) which I quote from an email
I sent
  to a friend in the PenetrationGroup about the issue (sorry for my laziness
8-)  :

"I already contacted Yahoo couple days ago...
.......After reading your email, I removed my YIM and downloaded the new one
from their
website and you are right; the newest version 5.6.0.1358 is not vulnerable.
However,
there is NO WAY to upgrade from 5.6.0.xxxx to 5.6.0.1358 except you
reinstall
YIM; and of course Yahoo doesn't tell anybody about it either.

If you go to http://messenger.yahoo.com/messenger/security/ you will see
there is
no update for this vulnerability. Again, the only way to patch it is
reinstall YIM
which Yahoo doesn't say anything about it.
(FYI, This vulnerability lays in the file ft.dll which is used to hande file
transferring in YIM.
They do patch this file in the new version, however if you want to dig more
into this thing, you can always get the old file from any of the YIM users
you know easily since nobody reinstall their YIM for no reason.)

So here is the new Yahoo! security strategy. Instead of informing the users
and
issueing a patch, they slip the patch into their main program silently and
say nothing about the vulnerability.  Doing so, they can avoid
  the press to embarass them for leaving so many vulnerabilities in their
product. However,
it is also a big embarassment if they protect ONLY new users who download
the new version and leave millions of other users who are using the old
version with
no patches available and are uninformed of the vulnerability. Yahoo !.....
"

The only way to patch it is removing and reinstalling YIM from Yahoo
website. Don't
waste your time to look for a patch in the messenger security page or any
info about this vulnerability
from them.  They don't give a damn !

  CREDITS
  =================================================

  Discovered by Tri Huynh from SentryUnion


  DISLAIMER
  =================================================

  The information within this paper may change without notice. Use of
  this information constitutes acceptance for use in an AS IS condition.
  There are NO warranties with regard to this information. In no event
  shall the author be liable for any damages whatsoever arising out of
  or in connection with the use or spread of this information. Any use
  of this information is at the user's own risk.


  FEEDBACK
  =================================================

  Please send suggestions, updates, and comments to: trihuynh@zeeup.com



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC