[Full-Disclosure] Finjan Software Discovers a New Critical Vulnerability In Yahoo E-mail Service
From: Menashe Eliezer (menashe_at_finjan.com)
To: <email@example.com> Date: Sun, 14 Dec 2003 15:18:24 +0200
Yahoo E-mail Service Vulnerability
Release Date: December 10, 2003
Severity: Critical (Potential web-based e-mail worm)
Other web-based e-mail systems may be vulnerable.
Internet Explorer and any software application used for reading Yahoo e-mail messages.
Yahoo,Excite and Outblaze (Mail.com) have already patched their Web-based e-mail services. Other web-based e-mail systems may be vulnerable.
In addition to destroying files, malicious code attacks have the ability to steal personal information such as usernames, passwords, credit card numbers, and any other information a user inputs into the computer. It can also expose restricted parts of a local area network, such as an Intranet, to the public.
"Web-based e-mails have become very popular due to its ability to provide access to one's e-mail messages from any computer connected to the Internet," said Brian Burke, program manager at IDC. "Malicious hackers are always looking at ways to gain unauthorized access to personal information of their victims for various reasons and Web e-mail services are certainly a potential target." Other web-based e-mail systems may be vulnerable to this vulnerability. Additional information about the malicious script execution security flaw can be found at: http://www.kb.cert.org/vuls/id/707100
This was a cross-site scripting vulnerability of the Yahoo! Web-based e-mail service. The purpose of Yahoo's active content filter is to block the injection of any active content into Yahoo! messages. However, the basic failure that allowed this vulnerability is that there was no blocking of a double encoding. Yahoo's filter removed only the first instance.
MCRC has inserted malformed encoded style to the 'input' HTML tag, using several known encoding methods.
<input type="text" size=80 value="XSS Yahoo Mail" style="\000062 ackground-image:url('java\73 crip\t\3A ...
-Automatic launching of malicious code.
-Getting personal information of users in Yahoo! address book and creating a detailed commercial database to be used by spammers. (using the known cookies decoder tool, created by firstname.lastname@example.org)
-Identity theft using a spoofed re-login window (suggested by email@example.com).
-Read and Disclose User inbox & contacts.
-Sending an e-mail message.
The ActiveX control could have been used for a destructive payload of the propagating worm. It also allows propagation to non-Yahoo users.
The basic attack does not require an ActiveX control. The ActiveX control is the payload that can be used to extend the attack to non-web mail users, or to perform any malicious activity, including formatting of the hard disk
Upon using the ActiveX control, end user may get a security warning. It depends on the security setting of the browser. An example: http://www.finjan.com/mcrc/demos/activex.cfm (Click on the 'test me' button after reading the disclaimer)
The initial tip was received from "stardust (hoshikuzu)".
This specific vulnerability has been eliminated by Yahoo based on Finjan Software notification. Finjan's content security products: SurfinGate for Web, SurfinGate
for E-mail, SurfinShield Corporate and SurfinGuard Pro, provided proactive defense against this Yahoo vulnerability prior to its detection and correction.
Finjan's patented behavior inspection engine will protect computer users from similar future vulnerabilities and comparable potential exploits.
Credit: stardust (hoshikuzu), Dror Shalev and Menashe Eliezer.
Finjan Software MCRC
Prevention is the best cure!
Full-Disclosure - We believe in it.