Yahoo Instant Messenger YAUTO.DLL buffer overflow

From: Tri Huynh (trihuynh_at_zeeup.com)
Date: 12/03/03

  • Next message: Tri Huynh: "[Full-Disclosure] Yahoo Instant Messenger YAUTO.DLL buffer overflow"
    To: <full-disclosure@lists.netsys.com>, <bugtraq@securityfocus.com>
    Date: Wed, 3 Dec 2003 00:06:56 -0800
    
    

    Yahoo Instant Messenger YAUTO.DLL buffer overflow
    =================================================

    PROGRAM: Yahoo Instant Messenger (YIM)
    HOMEPAGE: http://messenger.yahoo.com
    VULNERABLE VERSIONS: 5.6.0.1347 and below

    DESCRIPTION
    =================================================

    YIM is one of the most popular instant messenger. This is a cool product,
    that allows me to chat with my gf from a very long distant :-).

    DETAILS
    =================================================

    YAUTO.DLL is an ActiveX/COM component that comes with Yahoo
    Install Messenger. YAUTO.DLL is registered under a ProgID called
    "YAuto.NSAuto.1". In this component, there is a function named
    Open(String Url) that will cause a buffer overflow if argument Url is passed
    with
    a long string. Since this is an ActiveX component, the vulnerability can
    be exploited just by making a website with the correct CLSID of
    the ActiveX and call the function directly. We have successfully exploited
    the vulnerability by making a website that can download a trojan and
    execute it silently.

    WORKAROUND
    =================================================

    Yahoo has been contacted at enterprisesales@yahoo-inc.com (this
    is the only email that I can find on the Yahoo Messenger Site) but
    doesn't response after 1 month. The workaround solution is deleting
    the YAUTO.DLL file in your YIM directory.

    CREDITS
    =================================================

    Discovered by Tri Huynh from SentryUnion

    DISLAIMER
    =================================================

    The information within this paper may change without notice. Use of
    this information constitutes acceptance for use in an AS IS condition.
    There are NO warranties with regard to this information. In no event
    shall the author be liable for any damages whatsoever arising out of
    or in connection with the use or spread of this information. Any use
    of this information is at the user's own risk.

    FEEDBACK
    =================================================

    Please send suggestions, updates, and comments to: trihuynh@zeeup.com


  • Next message: Tri Huynh: "[Full-Disclosure] Yahoo Instant Messenger YAUTO.DLL buffer overflow"

    Relevant Pages