Yahoo! Messenger YAUTO.DLL ActiveX Buffer Overflow Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1008362
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Dec 3 2003
|
Impact: Execution of arbitrary code via network, User access via network
|
Advisory: Sentry Union
|
Version(s): 5.6.0.1347 and prior versions
|
Description: Tri Huynh from SentryUnion reported a buffer overflow in Yahoo! Messenger in the 'YAUTO.DLL' ActiveX component. A remote user can execute arbitrary code on the target system.
It is reported that a remote user can create HTML that, when loaded by the target user, will cause an arbitrary executable to be
downloaded to the target user's computer and silently executed.
The report indicates that YAUTO.DLL is registered under a ProgID
called "YAuto.NSAuto.1" and contains a buffer overflow in the Open() function. A remote user can pass a specially crafted URL to
trigger the overflow and execute arbitrary code.
|
Impact: A remote user can execute arbitrary code on the target system with the privileges of the target user.
|
Solution: No solution was available at the time of this entry.
The author of the report indicates that, as a workaround, you can delete the YAUTO.DLL file in your Yahoo! Messenger directory.
|
Vendor URL: messenger.yahoo.com/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Windows (Any)
|
Reported By: Tri Huynh <trihuynh@zeeup.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 3 Dec 2003 00:06:56 -0800
From: Tri Huynh <trihuynh@zeeup.com>
Subject: Yahoo Instant Messenger YAUTO.DLL buffer overflow
|
Yahoo Instant Messenger YAUTO.DLL buffer overflow
=================================================
PROGRAM: Yahoo Instant Messenger (YIM)
HOMEPAGE: http://messenger.yahoo.com
VULNERABLE VERSIONS: 5.6.0.1347 and below
DESCRIPTION
=================================================
YIM is one of the most popular instant messenger. This is a cool product,
that allows me to chat with my gf from a very long distant :-).
DETAILS
=================================================
YAUTO.DLL is an ActiveX/COM component that comes with Yahoo
Install Messenger. YAUTO.DLL is registered under a ProgID called
"YAuto.NSAuto.1". In this component, there is a function named
Open(String Url) that will cause a buffer overflow if argument Url is passed
with
a long string. Since this is an ActiveX component, the vulnerability can
be exploited just by making a website with the correct CLSID of
the ActiveX and call the function directly. We have successfully exploited
the vulnerability by making a website that can download a trojan and
execute it silently.
WORKAROUND
=================================================
Yahoo has been contacted at enterprisesales@yahoo-inc.com (this
is the only email that I can find on the Yahoo Messenger Site) but
doesn't response after 1 month. The workaround solution is deleting
the YAUTO.DLL file in your YIM directory.
CREDITS
=================================================
Discovered by Tri Huynh from SentryUnion
DISLAIMER
=================================================
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of
or in connection with the use or spread of this information. Any use
of this information is at the user's own risk.
FEEDBACK
=================================================
Please send suggestions, updates, and comments to: trihuynh@zeeup.com
|
|
