Yahoo Messenger Flaw allows injection of JavaScript into IM Windows
Results 1 to 9 of 9

Thread: Yahoo Messenger Flaw allows injection of JavaScript into IM Windows

  1. #1
    Senior Member
    Join Date
    Jun 2003
    Posts
    772

    Yahoo Messenger Flaw allows injection of JavaScript into IM Windows

    A new flaw in Yahoo Messenger (yesterday someone posted a bufferoverflow vulnerability in YM).

    http://www.zone-h.org/en/advisories/read/id=3552/
    Yahoo Messenger Flaw allows injection of JavaScript into IM Windows

    12/06/2003

    Title: Yahoo Messenger Flaw allows injection of JavaScript into IM Windows

    Author: Chet Simpson (secure ytunnelpro com)

    Date: December 5th, 2003

    Host Platforms tested: WindowsME and WindowsXP (sp1a)

    Target Applications tested: Yahoo Messenger 5.5 (Build 1249)

    Yahoo Messenger 5.6 (Build 1355)

    Target Applications affected: ??All?? versions of Yahoo Messenger

    Components Affected: ypager.exe

    Prerequisites: The IMVironment feature must be enabled

    Possible Dangers: Password Theft

    XSS Cookie Exploits

    Application/System crashes

    Example included: Yes

    Summary:

    --------

    A vulnerability found in ypager.exe allows a website to inject [malicious] html, scripts, and possibly activex controls into a Yahoo Messenger IM window.

    Details:

    --------

    Yahoo Messenger installs a special URL handler to automatically launch any URL starting with "ymsgr:". For Netscape, the YAuto.dll file is used. For Internet Explorer the main executable (ypager.exe) is launched. The Messenger specific URL protocol allows for automatically opening Instant Messages, Chatrooms, and File Transfer sessions. The exploit documented here is specific to the functionality provided by this URL protocol to initiate an Instant Messenging session with another user. The format to initiate this session is as follows:

    ymsgr:sendIM?USERNAME&unknownfield&IMVIRONMENT&unknownfield

    One of the features of this undocumented URL protocol is the ability to specify the "IMVironment" that should be used during the IM session.

    When Yahoo Messenger attempts to load an IMVironment, the name of the IMVironment is displayed at the top of the text area in the IM window. If the IMVironment cannot be found or an error occurs a message will be displayed at the bottom of the same window stating that the IMVironment cannot be loaded. Although the message at the top of the window is filtered to prevent injection of HTML and scripts the error message is not.

    By placing an IFRAME tag in place of the IMVironment name an additional web page can be loaded in the context of Yahoo Messenger. This is extremely dangerous as the IE HTML Control does not necessarily adhere to the current security and privacy settings selected by the user. This allows a webpage containing scripts to be loaded and provides an environment which to execute malicious scripts.

    Example Scripts:

    ----------------

    There are three (3) files included with in the example archive which demonstrate the flaw outlined in this document:

    ymsgr1.html - This is the primary 'host' file containing a Yahoo Messenger link which initiates a Yahoo Messenger IM session. Run this first and click on the link.

    ymsgr2.html - This file is loaded by Yahoo Messenger into the IM window once it opens and the IMVironment fails to load. The sample JavaScript contained in this file may not work in all cases but was chosen to show the severity of this flaw. Once loaded it will attempt to gather the Yahoo ID and if available the encoded password stored in the system registry. on all systems as some anti-virus software may block it.

    ymsgr2p.html - Same as ymsgr2.html but displays the Yahoo ID and encoded password in a popup window. This will not work with popup or ad blockers.

    ymsgr3.php - This file is accessed by ymsgr2.html and is responsible for displaying the Yahoo ID and encoded password gathered by the included script.

    Take note that the chosen script may not work on all configurations. During testing the IFRAME injection was blocked by Y!TunnelPro and by McAfee Anti-Virus. Norton Anti-Virus Pro 2004 and IMSecurePro did not appear to stop the script.

    A demo of this script can be seen at the following URL:

    http://www.ubabble.com/ymsgr1.html The archive containing this file and the example scripts can be found here:

    http://www.ubabble.com/ymsgr.zip - Zip format

    http://www.ubabble.com/ymsgr.tgz - GZipped Tarball

    Side Effects:

    -------------

    This exploit has an extremely nasty side effect. If the IFRAME is added to the ymsgr URL in certain ways the IMVironment information will be saved in such a way that Messenger will no longer log in. This requires that either the IMVironment keys in the registry be cleaned or Yahoo Messenger to be completely uninstalled.

    Work around:

    ------------

    Until Yahoo can fix the problem the exploit can be avoided by turning off IMVironments in the Yahoo Messenger preferences.

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    yet another "Hey shithead! follow this link" exploit

    thanks for the good info el-half
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  3. #3
    Senior Member
    Join Date
    Sep 2003
    Posts
    554
    Ah this exploit if you could call it that, has been around for years..
    And i'm glad to c that Yahoo is gonna do something about it finally..
    Anyhow thanks for the info el-half

    cheers
    creative

  4. #4
    Senior Member
    Join Date
    Oct 2001
    Posts
    193
    Thanks for heads up. I myself don't use Yim but I know many o' folk who do and I will gladly pass along the link.
    [shadow]Prepare ship for ludicrous speed![/shadow]

  5. #5
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,884
    Its been around for years? I thought the IMVironment was still rather new... Must be wrong though.

    They have realsed a new version and patched the IMVironment servers so that old versions of YIM shouldn't be exploitable.
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

  6. #6
    Banned
    Join Date
    Dec 2003
    Posts
    6
    Now all those dumbasses that ask "How do I hack Yahoo" should read that and leave the rest of us alone. Thanks for the info.

  7. #7
    Junior Member
    Join Date
    Dec 2003
    Posts
    2
    I have actually fallen victim to this. Just a couple of days ago, I was on my webcam on Yim!. Some dumbshit asked to view and I rejected. He threatened to kick me off Yim and blah blah blah. Momentarily later, I was kicked off Yim. Then again. Then again. This continued for about an hour.
    This is what the script kiddies call 'booting'.
    Rather lame cry for attention, don't you think?

  8. #8
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,884
    unforgivin> thats booting. This flaw is a LOT more dangerous then a simple boot off your computer.
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

  9. #9
    Now, RFC Compliant! Noia's Avatar
    Join Date
    Jan 2002
    Posts
    1,210
    *Ponders going back to Yahoo chat with a Packet capture and Nessus........just for some "fun" *
    With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .:Bring OS X to x86!:.
    Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides