[NT] Multiple Vulnerabilities in Yahoo! Messenger (Filename Spoofing, Privilege Escalation)
From: SecuriTeam (support_at_securiteam.com)
Date: 02/24/05
- Previous message: SecuriTeam: "[TOOL] IKE-Scan - VPN Scanning and Identification Tool"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 24 Feb 2005 17:06:58 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple Vulnerabilities in Yahoo! Messenger (Filename Spoofing, Privilege
Escalation)
------------------------------------------------------------------------
SUMMARY
<http://messenger.yahoo.com/> Yahoo! Messenger is "a free instant
messaging service that you can use to communicate with other people who
also use Yahoo! Messenger".
Yahoo! Messenger contains multiple vulnerabilities with the file transfer
spoofing, and with audio setup wizard privilege escalation.
DETAILS
Vulnerable Systems:
* Yahoo! Messenger version 6.0.0.1750 (for Windows)
Immune Systems:
* Yahoo! Messenger version 6.0.0.1921 (for Windows) or newer
Audio Setup Wizard Privilege Escalation
Yahoo! Messenger contains a vulnerability which can be exploited by
malicious, local users to gain escalated privileges.
The vulnerability is caused due to a combination of weak default directory
permissions and the Audio Setup Wizard (asw.dll) invoking the "ping.exe"
utility insecurely during the connection testing phase. This can be
exploited to execute arbitrary code with the privileges of another user by
placing a malicious "ping.exe" file in the application's "Messenger"
directory.
Successful exploitation requires that a user runs the Audio Setup Wizard
and that the application has been installed in a non-default location (not
as a subdirectory to the "Program Files" directory).
File Transfer Filename Spoofing
Yahoo! Messenger wraps overly long filenames and shows only the first line
of the filename in the file transfer dialogs. The file extension can thus
be spoofed for a filename containing a whitespace and two file extensions.
Successful exploitation requires that the option "Hide extension for known
file types" is enabled in Windows (default setting).
Disclosure Timeline:
04/01/2005 - Vendor notified about Privilege Escalation.
- Vulnerability of Filename Spoofing was discovered.
10/01/2005 - Vendor notified about Filename Spoofing.
14/01/2005 - Vendor contacted second time about Priviliege Escalation.
17/01/2005 - Vendor response About Priviliege Escalation.
19/01/2005 - Vendor confirms the vulnerability of Filename Spoofing.
16/02/2005 - Vendor issues updated version for the Privilege Escalation.
17/02/2005 - Vendor issued fixed version for the Filename Spoofing.
18/02/2005 - Public disclosure.
ADDITIONAL INFORMATION
The information has been provided by <mailto:che@secunia.com> Carsten H.
Eiram and by <mailto:as@secunia.com> Andreas Sandblad.
The original article about Privilege Escalation can be found at:
<http://secunia.com/secunia_research/2004-6/advisory/>
http://secunia.com/secunia_research/2004-6/advisory/
The original article about Filename Spoofing can be found at:
<http://secunia.com/secunia_research/2005-2/advisory/>
http://secunia.com/secunia_research/2005-2/advisory/
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[TOOL] IKE-Scan - VPN Scanning and Identification Tool"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NT] Yahoo Messenger YVerInfo.dll ActiveX Multiple Remote Buffer Overflow Vulnerabilities
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Yahoo Messenger YVerInfo.dll
ActiveX Multiple Remote Buffer Overflow ... exploitation of multiple buffer overflow vulnerabilities
in Yahoo Inc.'s ... (Securiteam) - [UNIX] X.Org Privilege Escalation
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... X.Org Privilege Escalation
... xorg-server version 1.0.0, as shipped with X11R7.0 ... the server checks
that only root can pass the ... (Securiteam) - [UNIX] Call-Center-Software Multiple Security Issues
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... vulnerable to multiple SQL
injection attacks and XSS under certain ... Call-Center-Software does not escape data
when handling it allowing ... Privilege Escalation and Password Disclosure: ...
(Securiteam)
