EEYE: Yahoo! Mail Account Filter Overflow Hijack

From: Drew Copley (dcopley_at_EEYE.COM)
Date: 04/21/04

  • Next message: Andrew Aronoff: "LFN alias script available" 
    Date:         Wed, 21 Apr 2004 11:11:46 -0700
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    "Yahoo! Mail" Account Filter Overflow Hijack

    Release Date:
    April 19, 2004

    Date Reported:
    March 10, 2004

    Severity:
    High

    Vendor:
    Yahoo!

    Description:
    "Yahoo! Mail" is one of the Internet's most popular
    web based email solutions. They provide free email and
    large capacity storage, as well as subscription-based
    services such as mail forwarding, expanded storage and
    personalized email addresses.

    eEye Digital Security has discovered a security hole in
    "Yahoo! Mail" which allows a remote attacker to take over
    an account remotely by sending a specially crafted email.

    Technical Description:
    -----------EXAMPLE EMAIL---------

    SCRIPT
    [->a bunch of chars here [spaces are most stealth], the whole
    file size will be just about 100KB]
    [this causes the filter to not work... the code is then run
    automatically]

    ---------------------------------

    The pseudo-diagram above explains the scenario rather well.
    For whatever reason, Yahoo's email filter simply does not
    work on files which exceed a certain range. This kind of
    software issue is relatively common.

    A remarkable note about this bug is that no one seems to
    have found it before.

    As far as anyone knows.

    Drew's Happy-Happy Quote for the Day:

    Ben Franklin, "Three can keep a secret if two are dead."

    Protection:
    Yahoo! Mail is a hosted, web based service, hence users
    do not need to patch. Yahoo has already fixed this bug,
    therefore all Yahoo accounts are now completely safe from
    it.

    Vendor Status:
    Yahoo! has been notified and has rectified the issue.

    Credit:
    Drew Copley, eEye Digital Security (dcopley eeye.com), Research Engineer
    thanks to "http-equiv" for additional research

    Related Links:
    Retina Network Security Scanner - Free 15 Day Trial
    http://www.eeye.com/html/Products/Retina/download.html

    Greetings:
    To all of you out there that don't use turn signals.
    Sooner or later your time is going to come. And a special
    greeting to all of these competitors of ours making some extra
    cash by selling pre-fix vulnerabilities through pay for play
    "mailing lists". I am sure North Korea, the Yakuza, the
    "Triads", the Russian Mafiya, La Costa Nostra, and every
    other criminal state or organization appreciates your type of
    "Partial Full Disclosure for a Darn Good Price" motto.

    Copyright (c) 1998-2004 eEye Digital Security
    Permission is hereby granted for the redistribution of this
    alert electronically. It is not to be edited in any way without
    express consent of eEye. If you wish to reprint the whole or
    any part of this alert in any other medium excluding electronic
    medium, please email alert@eEye.com for permission.

    Disclaimer
    The information within this paper may change without notice.
    Use of this information constitutes acceptance for use in an
    AS IS condition. There are no warranties, implied or express,
    with regard to this information. In no event shall the author
    be liable for any direct or indirect damages whatsoever arising
    out of or in connection with the use or spread of this information.
    Any use of this information is at the user's own risk.

    Feedback
    Please send suggestions, updates, and comments to:

    eEye Digital Security
    http://www.eEye.com
    info@eEye.com

    -----
    Earn up to 10 credit course hours toward the TruSecure ICSA Practitioner (TICSA) Credential and receive a TICSA exam coupon by attending the Infosecurity Canada 2004 conference. Featured speaker, Marcus J. Ranum, TruSecure inventor of the proxy firewall will present on June 3 at 11:30 AM. Visit <https://ticsa.trusecure.com> for certification details and <http://www.infosecuritycanada.com> for conference information. Become TICSA certified and see what happens!
    -----

  • Next message: Andrew Aronoff: "LFN alias script available"

    Relevant Pages

    • EEYE: Yahoo! Mail Account Filter Overflow Hijack
      ... "Yahoo! ... Mail" Account Filter Overflow Hijack ... Drew Copley, eEye Digital Security, Research Engineer ...
      (Bugtraq)
    • [Full-Disclosure] EEYE: Yahoo! Mail Account Filter Overflow Hijack
      ... "Yahoo! ... Mail" Account Filter Overflow Hijack ... Drew Copley, eEye Digital Security, Research Engineer ...
      (Full-Disclosure)
    • Re: Having Strange Problems sending email.....
      ... The Yahoo user did check his bulk mail folder each time and nothing was ... My first thoughts about the issue was that it would be a user filter ... connects to the same mail server in the US that the forums use. ... Mail account which was so heavily spammed that I configured the ...
      (microsoft.public.internet.mail)
    • Re: Having Strange Problems sending email.....
      ... > Used my own personal computer to send the email to his Yahoo address using ... SpamGuard works in a similar fashion to a Naive Bayesian spam filter. ... Mail account which was so heavily spammed that I configured the ...
      (microsoft.public.internet.mail)
    • Re: OE & Yahoo Mail
      ... I receive mail from 4 yahoo accts on my PC, ... YahooPOPs *emulates* UIDL by using the message-ID from the URL returned ... unique for the life of a freebie Yahoo webmail account but it has been ... incoming mail, which causes me to have to use Port 123 for YPops, on the ...
      (microsoft.public.windowsxp.help_and_support)