[NT] Yahoo! Messenger URL Handler Remote DoS

From: SecuriTeam (support_at_securiteam.com)
Date: 05/17/05

  • Next message: SecuriTeam: "[NEWS] Quartz Composer / QuickTime 7 Information Leakage" 
    To: list@securiteam.com
Date: 17 May 2005 10:59:48 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Yahoo! Messenger URL Handler Remote DoS
    ------------------------------------------------------------------------

    SUMMARY

    A denial of service vulnerability exists in the way Yahoo! Messenger
    processes arguments in their YMSGR: URL handler links. By crafting the
    links with certain characters after the first colon or after the third
    colon (after YMSGR:) attackers can create malformed packets to be sent to
    Yahoo!'s YMSG servers. When these packets are sent Yahoo! will immediately
    disconnect us from our current chat session.

    DETAILS

    Vulnerable Systems:
     * Yahoo! Messenger version 6.0
     * Yahoo! Messenger version 5.0

    By crafting YMSGR: links specifically after the first or third colons,
    preceding with an ampersand (&), we can force Yahoo! Messenger to generate
    room login packets that are malformed with whatever data we would like to
    send to the Yahoo! YMSG servers causing a disconnect upon receipt.

    Proof of Concept:
    Example of a 'legit' use of the YMSGR: URL handler to join a room
    YMSGR:Chat?ChatterBox:2::21748078

    The above link would instruct Yahoo! Messenger to send a join room request
    packet to the server, the room in this example being ChatterBox:2.
    Breaking down the arguments we have the room name, room # and room space
    #, all needed in the complete YMSGR: "chat?" link (or Messenger 6.0 won't
    send any packets if this syntax isn't followed). All of this together
    would be used to specifically enter a given room through invoking the
    handler.

    Interesting to point out that after the room name, room # and rmspace #
    are supplied the room # and rmspace #s aren't even used in the request
    packet so even though we're specifying a specific room to join the packets
    don't reflect that and instead we're sent to a ChatterBox room # at random
    by Yahoo! This apparently is a bug in itself since the only way to
    actually have Messenger send up the room request packet is to include the
    three colons even though the arguments behind them aren't used (until
    now).

    Proof of Concept:
    Example of a malicious use of the YMSGR: URL handler to disconnect a
    Messenger user:
    YMSGR:Chat?:::&&&<(*_*)>

    When created and used in this manner Yahoo! Messenger will accidentally
    "corrupt" the room login and/or room join request packets with whatever
    data we'd like to add, injected after the last ampersand in the link.

    This example here would insert a smiley face into a 0x00 0x96 room login
    request packet and will be rejected by the server immediately
    disconnecting the target:

    59 4D 53 47 00 0C 00 00 00 46 YMSG.....F
    00 96 00 00 00 00 9D 9E 1F F9 31 30 39 C0 80 6B .-.... . 109 k
    65 6E 5F 74 68 6F 6D 70 73 6F 6E 33 39 C0 80 31 en_thompson39 1
    C0 80 3C 28 2A 5F 2A 29 3E C0 80 36 C0 80 61 62 <(*_*)> 6 ab
    63 64 65 C0 80 39 38 C0 80 75 73 C0 80 31 33 35 cde 98 us 135
    C0 80 79 6D 36 2C 30 2C 30 2C 31 39 32 32 C0 80 ym6,0,0,1922

    The smiley face in this packet, between the YMSG delimiters " 1 " and " 6
    ", should really have been the id again, 'ken_thompson39'.

    By embedding this into IFRAMEs and links in web pages/e-mails we can
    remotely disconnect the target. Since link's contents sometimes look
    obvious (when hovering over them with the mouse pointer) we could possibly
    get around the suspicion (or add to it?) by encoding the handler arguments
    as hex chars.

    Proof of Concept:
    Two obfuscated link examples:
    <a href="YMSGR:%63%68%61%74%3F:::%26%26%26%26">Click Here</a>
    <a href="YMSGR:Chat?:::%26%26%26%26">Click Here</a>

    An IFRAME example:
    <iframe src="ymsgr:chat?:::&&&&">

    Note: If target is not in a chat room when the link is clicked or IFRAME
    containing the handler link is launched an ad may pop up in the
    "Connecting to Yahoo! Chat" window. After the ad loads clicking on "Enter
    Chat" will cause you to disconnect. If the target is already in chat at
    the time or if an ad doesn't pop up when they're not in chat they'll be
    disconnected immediately.

    Workaround:
    In the Windows registry delete the string value:
    c:\progra~1\yahoo!\messenger\ypager.exe %1 under
    HKEY_CLASSES_ROOT\ymsgr\shell\open\command, or point to another file or
    location (preferably a file that won't be ran in multiple instances). As a
    result all future YMSGR: links will cease to operate under Yahoo!
    Messenger.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:bindshell@gmail.com> Torseq
    Tech.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] Quartz Composer / QuickTime 7 Information Leakage"