Yahoo! Messenger URL Handler Remote DoS Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Yahoo! Messenger URL Handler Remote DoS Vulnerability
From: Torseq Tech. <bindshell@xxxxxxxxx>
Date: 14 May 2005 03:41:32 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


Title: Yahoo! Messenger URL Handler Remote DoS Vulnerability
Discovered By: Torseq Tech. <bindshell@xxxxxxxxx>
Date: Friday, May 13, 2005
Application affected: Yahoo! Messenger ver. 5.x - 6.0 Windows (all builds), 
*Nix/Mac ? (not tested)
Vendor: Yahoo! Inc.
Proof-of-Concept included: Yes
Fix Available: Yes
Description: A Denial-of-Service attack can be launched against Yahoo! 
Messenger which can be exploited both locally and remotely through IFRAMEs or 
by tricking the target into clicking on a YMSGR: URL handler link when in chat 
or in pm. A remote user can disconnect Yahoo! Messenger users via e-mail or by 
having the victim visit a web page.


Summary:

A Denial-of-Service vulnerability exists in the way Yahoo! Messenger processes 
arguments in their YMSGR: URL handler links. By crafting the links with certain 
characters after the first colon or after the third colon (after YMSGR:) we can 
create malformed packets to be sent to Yahoo!'s YMSG servers. When these 
packets are sent Yahoo! will immediately disconnect us from our current chat 
session.

History:

In the past the YMSGR: handler has been abused to cause buffer overflows in 
Yahoo! Messenger and to remotely DoS causing errors which couldn't be recovered 
from until it was restarted.

Details:

By crafting YMSGR: links specifically after the first or third colons, 
preceding with an ampersand (&), we can force Yahoo! Messenger to generate room 
login packets that are malformed with whatever data we would like to send to 
the Yahoo! YMSG servers causing a disconnect upon receipt.

Presentation:

Example of a 'legit' use of the YMSGR: URL handler to join a room:

YMSGR:Chat?ChatterBox:2::21748078

The above link would instruct Yahoo! Messenger to send a join room request 
packet to the server, the room in this example being ChatterBox:2. Breaking 
down the arguments we have the room name, room # and room space #, all needed 
in the complete YMSGR: "chat?" link (or Messenger 6.0 won't send any packets if 
this syntax isn't followed). All of this together would be used to specifically 
enter a given room through invoking the handler. 

Interesting to point out that after the room name, room # and rmspace # are 
supplied the room # and rmspace #s aren't even used in the request packet so 
even though we're specifying a specific room to join the packets don't reflect 
that and instead we're sent to a ChatterBox room # at random by Yahoo! This 
apparently is a bug in itself since the only way to actually have Messenger 
send up the room request packet is to include the three colons even though the 
arguments behind them aren't used (until now).

Example of a malicious use of the YMSGR: URL handler to disconnect a Messenger 
user:

YMSGR:Chat?:::&&&<(*_*)>

When created and used in this manner Yahoo! Messenger will accidentally 
"corrupt" the room login and/or room join request packets with whatever data 
we'd like to add, injected after the last ampersand in the link. 

This example here would insert a smiley face into a 0x00 0x96 room login 
request packet and will be rejected by the server immediately disconnecting the 
target:

59 4D 53 47 00 0C 00 00 00 46   YMSG.....F
00 96 00 00 00 00 9D 9E 1F F9 31 30 39 C0 80 6B   .?....??.ù109À?k
65 6E 5F 74 68 6F 6D 70 73 6F 6E 33 39 C0 80 31   en_thompson39À?1
C0 80 3C 28 2A 5F 2A 29 3E C0 80 36 C0 80 61 62   À?<(*_*)>À?6À?ab
63 64 65 C0 80 39 38 C0 80 75 73 C0 80 31 33 35   cdeÀ?98À?usÀ?135
C0 80 79 6D 36 2C 30 2C 30 2C 31 39 32 32 C0 80   À?ym6,0,0,1922À?              
                               

The smiley face in this packet, between the YMSG delimiters "À?1À?" and 
"À?6À?", should really have been the id again, 'ken_thompson39'.

By embedding this into IFRAMEs and links in web pages/e-mails we can remotely 
disconnect the target. Since link's contents sometimes look obvious (when 
hovering over them with the mouse pointer) we could possibly get around the 
suspicion (or add to it?) by encoding the handler arguments as hex chars.

2 obfuscated link examples:

<a href="YMSGR:%63%68%61%74%3F:::%26%26%26%26">Click Here</a>

<a href="YMSGR:Chat?:::%26%26%26%26">Click Here</a>

An IFRAME example:

http://geocities.com/ken_thompson39/pager.html

*Note: If target is not in a chat room when the link is clicked or IFRAME 
containing the handler link is launched an ad may pop up in the "Connecting to 
Yahoo! Chat" window. After the ad loads clicking on "Enter Chat" will cause you 
to be disconnected. If the target is already in chat at the time or if an ad 
doesn't pop up when they're not in chat they'll be disconnected immediately.

Solution:

In the Windows registry delete the string value 
"c:\progra~1\yahoo!\messenger\ypager.exe %1" under 
HKEY_CLASSES_ROOT\ymsgr\shell\open\command, or point to another file or 
location (preferably a file that won't be ran in multiple instances). As a 
result all future YMSGR: links will cease to operate under Yahoo! Messenger.

Prev by Date: Re: Linux kernel ELF core dump privilege elevation
Next by Date: Re: Windows image size crash
Previous by thread: OpenBB SQL Injection & Cross-site Scripting Vulnerability
Next by thread: PHPHeaven PHPMyChat Cross-site Scripting Vulnerablitiy
Index(es):
- Date
- Thread