[ Advisory ] New Yhaoo-Messenger client bug ( Insecure memory management )

From: Hamid.K (elite_netbios_at_yahoo.com)
Date: 05/26/04

  • Next message: Cherian Palayoor: "Cisco CSA" 
    Date: 25 May 2004 22:33:51 -0000
To: security-basics@securityfocus.com
    ('binary' encoding is not supported, stored as-is)

    Hi list .
      
     after sending two posts to Yahoo Inc. and receiving
     no replay I decided to post here .
      
    =|-------------------------------------------------------------
    =| Program : YIM-Client ( Yahoo Instant Messengerclient )
    =|
    =| vulnerable versions : new Beta release , 5.6.x and
    =| prior
    =|
    =| Flaw : Insecure memory management which can . . .
    =|
    =|---------------------------------------------------------------
    =|
    =| Description :
    =|
    =| Yahoo Messenger is an instant-messaging system
    =| ,which
    =| is
    =| one of popular systems in it`s kind .
    =| the login process to the server systems is protected
    =| by a user ID and a
    =| password . the YIM client have ability to store your
    =| password so you
    =| don`t need to type it each time .
    =|
    =| The stored encoded password is saved on registry
    =| which
    =| is already talked about
    =| and there are many programs available to decode the
    =| stored "Eoption String " .
    =|
    =| due to the insecure way , yahoo manage the stored
    =| password ,
    =| it`s possible to extract the clear-text saved
    =| password from the memory space of
    =| the YIM client . there is really no protection on
    =| stored password in memory
    =| and due to the way OS treat memory ,
    =|( No protection at user-level permissions )
    =|
    =| ANY low privileged user can dump the password from
    =| memory . there is no access
    =| required to registry or the program itself .
    =|
    =| there are many ways to abuse this . but my nasty
    =| idea is using this vulnerability in one of famous windows
    =| exploited bugs like the lsass staff , and make the
    =| remote-shell-string it return us the stored
    =| password in memory of remote system .
    =|
    =| It`s possible to do that cus the password is stored
    =| in
    =| a static place of memory
    =| and on my system ( 5.6.x versions ) , it is (00F341B0) .
    =| I hadn`t chance to install the new beta version to
    =| get
    =| the memory address .
    =|
    =| there are also MANY other applications vulnerable to
    =| this kind of
    =| bug .
    =|
    =|
    =|
    =| here is the advisory I sent to yahoo
    =| =========================
    =| Hello Yahoo-Messenger crew
    =|
    =| Yahoo-Messenger ( current version ) , have a security
    =| flaw , which let the attacker ,extract stored password of
    =| YIM-client from the memory space of loaded program .
    =| the password is available in clear-text into a static
    =| specific memory address ,which let an attacker to read the
    =| password from memory .
    =| 5.6.0.1339 was the version of client I`ve tested .
    =| but seems this flaw is exist on previous versions too .
    =|
    =|
    =| Not like other methods to extract the stored
    =| password ,like the stored encoded-password
    =| in registry , this way does NOT need any sort of
    =| decode / decryption to gain access to the
    =| stored password . it`s stored in clear-text .
    =|
    =| The stored password can be find at this address .
    =| the beginning address is :
    =| 00F341B0 in memory space of loaded YIM-client .
    =|
    =| sample :
    =| load yahoo messenger client , with save-password enabled .
    =| then run the WinHex program , attempt to read from RAM
    =| select the YIM client process and load it`s entire used
    =| memory .
    =| by looking at mentioned address ( 00F341B0 ) ,
    =| you`ll see the clear-text password you`ve stored on your client .
    =|
    =|
    =| Hamid Kashfi
    =| May 18 2004
    =|
    =|
    =|
    =| ==========
    =| finally sorry for poor English :-p
    =| EOF.
    =|
    =|
    =|
    =|
    =| __________________________________

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------

  • Next message: Cherian Palayoor: "Cisco CSA"

    Relevant Pages

    • Re: Limit on number of columns pulled using DBI::ODBC
      ... Please try to fix your email application (Yahoo) to wrap lines at ~76 ... I were running into memory issues, I'd rebuild my SQL query as such: ... I'll help you write a function to 'chunk' things up. ...
      (perl.beginners)
    • Re: Error message every time I close IE - 0x629133b1
      ... If you have any 3rd party toolbars such as Google, Yahoo or MSN, or Yahoo ... Memory Could Not Be Read While Doing File Operation ... It could also be a BHO (Browser Helper Objects) causing the problem. ... How to make a good newsgroup post: ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • segmentation fault in c progrmming
      ... I think that it is memory less error. ... in borland c when this error are accouring in options windows we check huge memory and this error is removed. ... > Do you Yahoo!? ... easy-to-use web site design software -- redhat-list mailing list unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe ...
      (RedHat)
    • Re: segmentation error in c programming.
      ... I think that it is memory less error. ... in borland c when this error are accouring in options windows we check huge memory and this error is removed. ... > Do you Yahoo!? ... easy-to-use web site design software -- redhat-list mailing list unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe ...
      (RedHat)
    • Re: Best song written by each guy
      ... If abe reads and responds to my posts, ... I don't understand why there is such a tendancy here for posters to ... On December 8th, when other people were posting the expected "I miss John" memory or acknowledgment of the day, somebody posted a link to a message from Yoko Ono to John's fans. ... And you apparently see nothing wrong with it, since you haven't mentioned it since...all you want to talk about is some "vow" I supposedly took to not respond to you, that I somehow "broke". ...
      (rec.music.beatles)