文章作者:Torseq Tech. <bindshell gmail com>
Date: Wednesday, May 18, 2005
Application affected: Yahoo! Messenger ver. 5.x - 6.0 (all builds) Windows, *Nix/Mac
? (not tested)
Vendor: Yahoo! Inc.
Proof-of-Concept included: Yes
Fix Available: Yes (temporary)
Description: By activating the "Logfile" feature in Yahoo! Messenger a person (perhaps
unauthorized) is able to secretly log and view virtually all communications
sent and received by Yahoo! Messenger from all IDs logged into Messenger on the
local computer. Awareness of this logging is virtually none unless this feature
is exclusively known about beforehand by the users and they know exactly where
to look for the feature's presence (not likely). When using this feature you may
be susceptible to privacy breaches and increased risk for potential remote DoS
attacks to be launched successfully.
Summary:
A much lesser-known feature in Yahoo! Messenger is one called the "Logfile" feature,
which can be enabled/disabled remotely or locally through the YMSGR: URL handler.
If given physical access to a publicly "shared" system (or home) it is possible
to create a registry key and set the value enabling the feature without having
Messenger alert future users following the reg write of the logging that's taking
place. When Messenger is started up the entire login, all chat room conversations,
all PMs, conferences, chat invitations, add buddy requests/successes/denies,
and mobile text messages both in/out will be logged. User's cookies, login
challenge strings and challenge responses, user's buddy lists, ignore lists, aliases
on the accounts and personal status messages etc. will all be stored in a
text file on the local computer, all completely unencrypted and in a readable (though
ugly) raw packet dump of clear-text.
Presentation:
Unlike the 'recognized' and preference-accessible Yahoo! Messenger Archive feature
that allows for archiving of PMs, conferences, and mobile text messages the Logfile
feature isn't accessible from anywhere in Messenger other than through invoking
the YMSGR: handler with the correct arguments to activate/deactivate it's functionality.
This feature is also not very documented (not documented officially),
with the exception of 1 search result on google with information about it from
a third party (at the time of this writing).
Unlike the Archiving feature which is enabled/disabled for each invidual user on a
per-ID basis, this Logfile feature, when enabled, causes Messenger to log all communications
both sent and received and append their contents in clear-text to
an existing text file called ypager.log. By default this text file, in the same
directory as Messenger, is used to log basic connection successes and failures.
When the Logfile feature is activated ypager.log then becomes an entirely "different"
file storing detailed log information above and beyond it's normal troubleshooting
statistics.
Several problems exist when this feature is activated. The first problem is that you're
able to make a manual registry write (which can be done even on limited and
guest accounts on XP) that when made, after being queried and found by Messenger,
is acted upon without alerting all future user(s) that logging will take place
on their IDs for all sessions thereafter. You can enable this feature locally
by making a registry write and creating the DWORD "Use Logfile" with a value of
'1', or disable by setting the value to '0' or deleting the DWORD entirely from
"HKEY_CURRENT_USER\Software\Yahoo\pager". When a manual reg write is made it logs
all user's data, it's scope isn't limited to individual IDs but any IDs used
in Messenger on the computer at any time.
This feature can be enabled remotely using the YMSGR: handler link YMSGR:enablelog?1
and clicking on "enable" through an IFRAME or in a hyperlink in pm or chat. The
feature can be disabled remotely using YMSGR:enablelog? and clicking on "disable"
to stop the logging after shutting down Messenger and restarting it. When logging
is enabled through the use of the YMSGR: handler the current user is prompted
from the enable/disable Warning dialog box but the message does not cearly
indicate exactly what will be logged, where it will be stored, who will be logged
or whether or not the data will be encoded or not when stored. A user could be
tricked into enabling this feature remotely, and quite easily, without knowing
what it does or how it works, much less how to turn it off if they needed to for
performance or privacy reasons.
Since many businesses communicate using Yahoo! Messenger employees and/or even outsiders
could keep track of business conferences that took place, chat room conversations
and private messages (PMs) that might have taken place during workdays.
Colleges with Yahoo! Messenger installed on their campus computers could be used
to harvest all conversational data as well as private data (cookies, buddylists
and ignore lists) from students using it between classes.
Comparing and contrasting the known Yahoo! Archive feature against this "Logfile"
feature to indicate the differences is as follows:
Yahoo! Messenger Archive feature:
- Is Messenger GUI-accessible through preferences for enabling and disabling.
- Selective logging exists for PMs, conferences and/or mobile text messages and alerts.
- Logged data is stored on the local computer in the form of .dat files of which the
contents are XORd (though very minimal) with the user ID to prevent your typical
local user from viewing the contents. Ability to view the contents of the logfiles
is granted when signed into the account on which the logs were created (where
the user ID and password would be needed to read them).
- Is enabled and disabled on a per-ID basis, meaning each ID logged into Messenger
can choose whether to enable archiving or not (default is disabled for all).
- PMs received from senders that are not replied back to during the session are not
archived.
Yahoo! Messenger Logfile feature:
- Is not Messenger GUI-accessible from anywhere for simple enabling and disabling.
- No selective logging exists per service type, virtually everything that can be sent
or received through Messenger is logged (much broader scope of logged activity
vs. Archiving).
- Logged data is stored on the local computer in the ypager.log text file of which
the contents are not encoded at all to prevent onlookers from viewing the contents.
- Is enabled and disabled on a "global" basis, meaning once enabled the logging takes
place for all communications on all IDs logged into and used in Messenger.
- Received PMs and all communications from senders that are not replied back to during
the session are still logged in the text file (unlike Archiving's behavior).
Potential remote DoS vulnerability:
If in a highly 'active' chat room environment, PM or conference where there's multiple
lines of text being sent back and forth at high rates there's the possibility
that this log could get quite huge due to the actual packet-like structure being
used for the logging and the additional details about each packet's contents
being appended. This text file could grow into megabytes if enough elapsed time
and activity has taken place. A Denial-of-Service condition could possibly be made
if logging was activated and the attacker was able to force large amounts of
PM or chat room data to the target's Messenger client forcing it to spend a lot
of resources and time logging all of the data flood's contents to the text file,
possibly resulting in a client crash or decreased system performance. This scenario
would be all too real as PM bombing and various other sorts of flooding (booting)
exist practically everywhere on Yahoo! Chat.
Logfile Analysis:
Recv 5/18 0:47:45| type=6, status=1, data=5torseq_tech4my_name_is_tr0nix244278527252PpuInhgAiRFwuCJpNC4=97114Hello
there sir63;0640, len=121
The line above from ypager.log is an ASCII packet dump that indicates that a PM was
received on the ID "torseq_tech" from the ID "my_name_is_tr0nix" timestamped with
the date and time of receipt. The message here is "Hello there sir". The YMSG
header status= field value is also provided as well as the YMSG service type being
"6" in decimal (Private Message). The YMSG payload length, being 121 Bytes
(derived from the YMSG 20 Byte header subtracted from the payload continuation)
is also present telling us exactly how large the messages received were in octets.
Due to the rawness of the structure from the dump a parser could be written to
parse the type= value, status= value, data= and len= values along with the direction
(Sent & Recv) and the timestamp to be displayed with better human-readability
when viewing the log's contents as a whole. The miscellaneous letters and numbers
within the data= field could also be stripped out if each service type's
delimiters (being those numb
ers and letters) were extracted from the actual viewable message text. Reconstructing
whole chat room conversations, PM conversations, conferences and harvesting
buddy lists, ignore lists and cookies etc. could all be accomplished for multiple
IDs used from the computer's Messenger client.
Proof-of-Concept:
To manually activate the Logfile feature without prompting the user upon it's activation
(physical access normally required) go here:
http://geocities.com/ken_thompson39/log/Use_Logfile.html
To trick users into activating this feature remotely you could have them visit a web
page (like this one) or have them click on a hyperlink with the handler embedded.
When they see the "Do you want to enable logging on Yahoo! Messenger?" Warning
dialog box popup you could inform them that this just activates the Yahoo! Messenger
Archive feature for them or something similar to get them to do it.
http://geocities.com/ken_thompson39/log/Logfile.html
Consequences:
Possible data theft by local users of the computer, compromised IDs and friends list
communications (through cookie logins from the IDs and cookies gathered) via
impersonation and increased risk for potential remote DoS attacks to be launched
successfully due to such heavy loads of logging that can be induced.
Solution (temporary):
Set ypager.log permissions to Read-only or check for the logging when Messenger is
started up each time it's used from a shared computer using the URL handler to
disable it when signing in. Deleting the file before Messenger is started won't
help as the file is recreated (it's needed even if the Logfile feature is disabled)
if it isn't found in the Messenger folder.
