[NT] Yahoo! Messenger AudioConf ActiveX Control Buffer Overflow

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Yahoo! Messenger AudioConf ActiveX Control Buffer Overflow
------------------------------------------------------------------------


SUMMARY

A vulnerability in Yahoo! Messenger's AudioConf ActiveX allows attackers
to cause the component to overflow an internal buffer, which in turn can
be used to cause the program to execute arbitrary code.

DETAILS

This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Yahoo Messenger. User interaction is required
to exploit this vulnerability in that the target must visit a malicious
page.

The specific flaw exists within the ActiveX control Yahoo.AudioConf:

DLL: yacscom.dll
CLSID: 85A4A99C-8C3D-499E-A386-E0743DFF8FB7

When large values are specified for the 'socksHostname' and 'hostname'
properties, and the createAndJoinConference() method is called, a stack
overflow occurs. Exploitation can result in code execution under the
context of the current user.

Vendor Response:
Yahoo has issued an update to correct this vulnerability. More details can
be found at:
<http://messenger.yahoo.com/security_update.php?id=031207>
http://messenger.yahoo.com/security_update.php?id=031207

Disclosure Timeline:
2006.10.27 - Vulnerability reported to vendor
2006.11.10 - Digital Vaccine released to TippingPoint customers
2007.04.03 - Coordinated public release of advisory

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1680>
CVE-2007-1680


ADDITIONAL INFORMATION

The information has been provided by Peter Vreugdenhil.
The original article can be found at:
<http://www.zerodayinitiative.com/advisories/ZDI-07-012.html>
http://www.zerodayinitiative.com/advisories/ZDI-07-012.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages