Yahoo! Messenger! multiple! vulns!

[InfoSec News <isn () c4i org>]

http://www.theregister.co.uk/content/55/25466.html

By Thomas C Greene in Washington
Posted: 28/05/2002 at 09:08 GMT

There are two new Yahoo Instant Messenger (YIM) vulnerabilities which 
can potentially compromise a user's machine, Vietnamese researcher 
Phuong Nguyen has discovered. Yahoo! has been notified and a fixed 
version is available for download here. 

First up, an unchecked buffer which enables any URL beginning with 
'ymsgr:' to call ypager.exe, crash it and run malicious code if the 
messenger is integrated with the browser. All that's needed is 268 
bytes to overflow the buffer, and exploit code can be loaded with the 
user's level of privilege. The 'call', 'sendim', 'getimv', 'chat', 
'addview' and 'addfriend' function calls can be exploited, Nguyen 
says. 

Next up a problem with the 'addview' feature which enables the 
messenger to view Web content on its own. This is vulnerable to freaky 
URLs and malicious JavaScript and VB script. Yahoo! content can be 
duplicated and malicious scripts embedded in the HTML to give an 
attacker numerous means to exploit a target. See Nguyen's original 
advisory for links to a couple of simple demonstrations (which I've 
not verified). Yahoo! has removed this particular 'feature' in the 
fixed version pending further engineering magic to make it safe, 
Nguyen says. 




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.