文章作者:Torseq Tech. <bindshell gmail com>
Application affected: Yahoo! Messenger ver. 5.x - 6.0 Windows (all builds), *Nix/Mac
? (not tested)
Vendor: Yahoo! Inc.
Proof-of-Concept included: Yes
Fix Available: Yes
Description: A Denial-of-Service attack can be launched against Yahoo! Messenger which
can be exploited both locally and remotely through IFRAMEs or by tricking the
target into clicking on a YMSGR: URL handler link when in chat or in pm. A remote
user can disconnect Yahoo! Messenger users via e-mail or by having the victim
visit a web page.
Summary:
A Denial-of-Service vulnerability exists in the way Yahoo! Messenger processes arguments
in their YMSGR: URL handler links. By crafting the links with certain characters
after the first colon or after the third colon (after YMSGR:) we can create
malformed packets to be sent to Yahoo!'s YMSG servers. When these packets are
sent Yahoo! will immediately disconnect us from our current chat session.
History:
In the past the YMSGR: handler has been abused to cause buffer overflows in Yahoo!
Messenger and to remotely DoS causing errors which couldn't be recovered from until
it was restarted.
Details:
By crafting YMSGR: links specifically after the first or third colons, preceding with
an ampersand (&), we can force Yahoo! Messenger to generate room login packets
that are malformed with whatever data we would like to send to the Yahoo! YMSG
servers causing a disconnect upon receipt.
Presentation:
Example of a 'legit' use of the YMSGR: URL handler to join a room:
YMSGR:Chat?ChatterBox:2::21748078
The above link would instruct Yahoo! Messenger to send a join room request packet
to the server, the room in this example being ChatterBox:2. Breaking down the arguments
we have the room name, room # and room space #, all needed in the complete
YMSGR: "chat?" link (or Messenger 6.0 won't send any packets if this syntax isn't
followed). All of this together would be used to specifically enter a given
room through invoking the handler.
Interesting to point out that after the room name, room # and rmspace # are supplied
the room # and rmspace #s aren't even used in the request packet so even though
we're specifying a specific room to join the packets don't reflect that and instead
we're sent to a ChatterBox room # at random by Yahoo! This apparently is
a bug in itself since the only way to actually have Messenger send up the room request
packet is to include the three colons even though the arguments behind them
aren't used (until now).
Example of a malicious use of the YMSGR: URL handler to disconnect a Messenger user:
YMSGR:Chat?:::&&&<(*_*)>
When created and used in this manner Yahoo! Messenger will accidentally "corrupt"
the room login and/or room join request packets with whatever data we'd like to
add, injected after the last ampersand in the link.
This example here would insert a smiley face into a 0x00 0x96 room login request packet
and will be rejected by the server immediately disconnecting the target:
59 4D 53 47 00 0C 00 00 00 46 YMSG.....F
00 96 00 00 00 00 9D 9E 1F F9 31 30 39 C0 80 6B .?....?.ù109
