[NT] Yahoo! Messenger Server Race Condition Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 05/17/05

  • Next message: SecuriTeam: "[REVS] SQLBlock: SQL Injection Protection by Variable Normalization of SQL Statement" 
    To: list@securiteam.com
Date: 17 May 2005 11:04:01 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Yahoo! Messenger Server Race Condition Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

    A vulnerability exists in Yahoo!'s Chat servers allows chatters to be
    added to your friends list completely without their knowledge or
    authorization. As a result private status messages can be read and on-line
    Yahoo! Chat activity can be monitored stealthily.

    DETAILS

    Vulnerable Systems:
     * Yahoo! Messenger 6.0
     * Yahoo! Messenger 5.0
     * Yahoo! Messenger Server

    A feature that can be found in Yahoo! Messenger under the Contacts tab,
    "Invite People to Yahoo! Messenger..." and under the "Add people" option
    contains a loophole that allows for a person to be added to another
    person's friends list completely without their knowledge or consent.

    This feature allows for an e-mail to be sent (through Yahoo!'s HTTP
    servers) inviting another person to download and use Yahoo! Messenger. In
    the e-mail (generated from the template) is a vulnerable link that can be
    altered to the attacker liking. By specifying an e-mail address different
    from the yahoo.com domain names attackers can view the template
    responsible for generating this link and sending the e-mails.

    Once the link is tweaked all the attackers need to do is plug it into
    their browser's address bar and sign into the Yahoo! account that they
    want the target to be added as a friend on. Once signed in the operation
    is completed.. no user-interaction required. If the attackers already
    signed into yahoo.com then by simply tweaking the link and surfing to it
    will complete the operation for them.

    Yahoo! is tricked into thinking that a person received an e-mailed
    invitation permitting them to add the sender as a friend, and as the
    result no add buddy request confirmation is ever sent to the id being
    added (the supposed "sender" of this e-mail), exploiting a trust-based
    relationship. No e-mail needs to be sent (no invitation) to accomplish
    this since the attackers already knows the link and the e-mail would in
    fact give the users away (since then the receiver could add 'US' without
    the user knowledge and make them aware of the invitation in the first
    place - raising suspicion of the whole intent of the actual invitation).

    Proof of Concept:
     1. Skip Add Buddy "Accept" step and add immediately with no steps after
    signing in:
    http://friends.msg.yahoo.com/invite?id=ID_TO_ADD&intl=us&op=add&dl=1

     2. Go through with Add Buddy "Accept" step and add after confirmation of
    the operation:
    http://friends.msg.yahoo.com/invite?op=accept&id=ID_TO_ADD&intl=us

    Where "ID_TO_ADD" would be the id of the person you're wanting to add to
    your Yahoo! account that you'd be signing into from these links.

    Successful exploitation attackers can monitor the online activity of the
    users that was added by others without permission. Attackers can determine
    whether or not the users are "Available" and read their custom status
    messages that could contain private information such as private links and
    text (phone numbers, away messages etc).

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:bindshell@gmail.com> Torseq
    Tech.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[REVS] SQLBlock: SQL Injection Protection by Variable Normalization of SQL Statement"