Re: yahoo chat security

From: winged (winged_at_nofollow.com)
Date: 04/06/05

  • Next message: winged: "Re: miracle is needed!" 
    Date: 05 Apr 2005 23:58:42 EDT

    Kirby "Does it Hurt?" Black wrote:
    > I know, its probably a great laugh to suggest them both in the same
    > sentence! But I'd like to know if anyone every experienced what I
    > did yesterday.
    >
    > I was in a chat room, chatting away, someone apparently didn't like
    > what I said and they somehow booted me and shut down my messenger.
    >
    > When I turned it back on, it was signing itself in under someone
    > else's nic and told me that my nic was already in use! I'm pretty
    > sure its some neat little schoolboy cracker trick, but I'd sure like
    > to know how they did it, what the ramifications to my box could have
    > been, [so far it's ok 24 hours later], how they got to it...if anyone
    > knows.
    >
    > thanks
    >
    >
    Yes, you are right, IRC and security seem to be an antithesis.

    That said is your current Java version current? If you are using Sun
    Java it should be version build 1.5.0_02-b09 (go to control
    panel/Java/General/About to find version you are running). There are
    some buffer overrun capabilities in earlier versions. If you are
    relying on MS JAVA implementation run quickly to java.com and use the
    Sun version (you didn't mention OS you are using so I am not sure about
    your system state of affairs). I suspect your messenger was shut down
    via a buffer overrun exploit. These are not uncommon in the Yahoo
    client. There is also a buffer overrun exploit in the radio function,
    audio function and the video function of the current client.
    Additionally there is a known vulnerability in the file transfer
    function of the current 5.X client that is unpatched.

    Ramifications
    1. If you have an old version of the sun client or are using MS to do
    java, you could have run the code of the attackers choice.
    2. If the audio buffer overrun was used it probably just crashed the
    client.
    3. If the file transfer exploit was used it just caused a denial of
    service or software crash.

     From the symptoms you described I suspect that option 1 is the issue.
    For them to have extracted your session logon information, I suspect the
    system was compromised possibly with a Trojan of the attackers choice.
    If you gain control of your account again first option would be to
    change the password immediately to a complex password (at least 2 of the
    4 char sets (upper, lower, numeric and special)) Second closely inspect
    your system. There are bad guys there and many script kiddies
    (especially in the "adult chat areas). Many of the script kiddies there
    do not even realize the evil they do. A number of the bad guys are
    international.

    I would be looking everywhere on the system for a Trojan or consider
    rebuilding the system. On an older version of Yahoo I started writing a
    filter for such behaviors, but the software was so holed that it would
    have been a career. The 5x version is much better than previous
    versions however there are some significant spyware holes opened for
    advertisers and Yahoo. I was playing with yahoo messenger because of
    the blackhats lurking there, because I had read so many security notices
    on the software. I wore goulashes that most folks don't even know
    about, as I expected to have the session hacked and endeavored to
    irritate those who I knew were bad guys not just script kiddies. I ran
    full packet logging and the client inside of a virtual machine with
    layered logging and filters running against common exploit vectors. All
    the same I had a VM session compromised by an attacker who was
    downloading Netcat(heh already had NETCAT but the script didn't know)
    after creating 3 hidden accounts on the local system inside of 3 minutes
    on a dialup session. My logs of the compromise (older version)
    indicated it too was a Java buffer overrun exploit.

    I still consider Yahoo unsafe at any speed. I do not believe even the
    Yahoo hosts can be trusted and suspect (unproven) that root authority on
      their server systems to be compromised and insecure due to other
    exploration efforts I made at their site. Your mileage may vary.

    Winged

  • Next message: winged: "Re: miracle is needed!"

    Relevant Pages

    • Re: YALCFO (Yet Another Lisp Criticism From an Outsider)
      ... > "Is Paul Graham, a very open and strong opponent of Java, using it ... > But Paul Graham's former company ViaWeb that was sold to Yahoo is. ... > The last issue of Swing Sightings points to the Java based Yahoo ... The criticism is simply that Yahoo didn't use Lisp to create this client ...
      (comp.lang.lisp)
    • linux JDK with compat_linux broken
      ... Java HotSpotClient VM warning: Can't detect initial thread stack location ... Internal Error ... Do you Yahoo!? ...
      (freebsd-current)
    • Re: VRML + JAVA + C to access position Variables
      ... Java does 3d animation and can connect to devices ... with JNI (through one programing interface) ... Internet Protocols including Client / Server ... old style VRML plug-in viewers which have many ...
      (comp.lang.java.programmer)
    • RE: Remoting and serialization
      ... if you use MarshalByRefObject for all of your "shared" objects (not ... use of interfaces and serialization. ... The decision to use Java versus .NET isn't so much about technology as it is ... you need the ENTIRE class graph for that object on your client. ...
      (microsoft.public.dotnet.languages.csharp)
    • Re: What multi-tier components to use
      ... Enterprise Java Beans. ... > with every change in the parameter list, you could make your new server ... But surely if you have an old client and the interfaces are still valid on ...
      (borland.public.delphi.thirdpartytools.general)