<<< Date Index >>>     <<< Thread Index >>>

Yahoo! Messenger may be storing all session data 'Unencoded' on the local machine




Title: Yahoo! Messenger May Be Storing All Session Data 'Unencoded' On The 
Local Machine
Discovered By: Torseq Tech. <bindshell@xxxxxxxxx>
Date: Wednesday, May 18, 2005
Application affected: Yahoo! Messenger ver. 5.x - 6.0 (all builds) Windows, 
*Nix/Mac ? (not tested)
Vendor: Yahoo! Inc.
Proof-of-Concept included: Yes
Fix Available: Yes (temporary)
Description: By activating the "Logfile" feature in Yahoo! Messenger a person 
(perhaps unauthorized) is able to secretly log and view virtually all 
communications sent and received by Yahoo! Messenger from all IDs logged into 
Messenger on the local computer. Awareness of this logging is virtually none 
unless this feature is exclusively known about beforehand by the users and they 
know exactly where to look for the feature's presence (not likely). When using 
this feature you may be susceptible to privacy breaches and increased risk for 
potential remote DoS attacks to be launched successfully.

Summary:

A much lesser-known feature in Yahoo! Messenger is one called the "Logfile" 
feature, which can be enabled/disabled remotely or locally through the YMSGR: 
URL handler. If given physical access to a publicly "shared" system (or home) 
it is possible to create a registry key and set the value enabling the feature 
without having Messenger alert future users following the reg write of the 
logging that's taking place. When Messenger is started up the entire login, all 
chat room conversations, all PMs, conferences, chat invitations, add buddy 
requests/successes/denies, and mobile text messages both in/out will be logged. 
User's cookies, login challenge strings and challenge responses, user's buddy 
lists, ignore lists, aliases on the accounts and personal status messages etc. 
will all be stored in a text file on the local computer, all completely 
unencrypted and in a readable (though ugly) raw packet dump of clear-text.

Presentation:

Unlike the 'recognized' and preference-accessible Yahoo! Messenger Archive 
feature that allows for archiving of PMs, conferences, and mobile text messages 
the Logfile feature isn't accessible from anywhere in Messenger other than 
through invoking the YMSGR: handler with the correct arguments to 
activate/deactivate it's functionality. This feature is also not very 
documented (not documented officially), with the exception of 1 search result 
on google with information about it from a third party (at the time of this 
writing).

Unlike the Archiving feature which is enabled/disabled for each invidual user 
on a per-ID basis, this Logfile feature, when enabled, causes Messenger to log 
all communications both sent and received and append their contents in 
clear-text to an existing text file called ypager.log. By default this text 
file, in the same directory as Messenger, is used to log basic connection 
successes and failures. When the Logfile feature is activated ypager.log then 
becomes an entirely "different" file storing detailed log information above and 
beyond it's normal troubleshooting statistics.

Several problems exist when this feature is activated. The first problem is 
that you're able to make a manual registry write (which can be done even on 
limited and guest accounts on XP) that when made, after being queried and found 
by Messenger, is acted upon without alerting all future user(s) that logging 
will take place on their IDs for all sessions thereafter. You can enable this 
feature locally by making a registry write and creating the DWORD "Use Logfile" 
with a value of '1', or disable by setting the value to '0' or deleting the 
DWORD entirely from "HKEY_CURRENT_USER\Software\Yahoo\pager". When a manual reg 
write is made it logs all user's data, it's scope isn't limited to individual 
IDs but any IDs used in Messenger on the computer at any time.

This feature can be enabled remotely using the YMSGR: handler link 
YMSGR:enablelog?1 and clicking on "enable" through an IFRAME or in a hyperlink 
in pm or chat. The feature can be disabled remotely using YMSGR:enablelog? and 
clicking on "disable" to stop the logging after shutting down Messenger and 
restarting it. When logging is enabled through the use of the YMSGR: handler 
the current user is prompted from the enable/disable Warning dialog box but the 
message does not cearly indicate exactly what will be logged, where it will be 
stored, who will be logged or whether or not the data will be encoded or not 
when stored. A user could be tricked into enabling this feature remotely, and 
quite easily, without knowing what it does or how it works, much less how to 
turn it off if they needed to for performance or privacy reasons.

Since many businesses communicate using Yahoo! Messenger employees and/or even 
outsiders could keep track of business conferences that took place, chat room 
conversations and private messages (PMs) that might have taken place during 
workdays. Colleges with Yahoo! Messenger installed on their campus computers 
could be used to harvest all conversational data as well as private data 
(cookies, buddylists and ignore lists) from students using it between classes.

Comparing and contrasting the known Yahoo! Archive feature against this 
"Logfile" feature to indicate the differences is as follows:

Yahoo! Messenger Archive feature:

- Is Messenger GUI-accessible through preferences for enabling and disabling.
- Selective logging exists for PMs, conferences and/or mobile text messages and 
alerts.
- Logged data is stored on the local computer in the form of .dat files of 
which the contents are XORd (though very minimal) with the user ID to prevent 
your typical local user from viewing the contents. Ability to view the contents 
of the logfiles is granted when signed into the account on which the logs were 
created (where the user ID and password would be needed to read them).
- Is enabled and disabled on a per-ID basis, meaning each ID logged into 
Messenger can choose whether to enable archiving or not (default is disabled 
for all).
- PMs received from senders that are not replied back to during the session are 
not archived.

Yahoo! Messenger Logfile feature:

- Is not Messenger GUI-accessible from anywhere for simple enabling and 
disabling.
- No selective logging exists per service type, virtually everything that can 
be sent or received through Messenger is logged (much broader scope of logged 
activity vs. Archiving).
- Logged data is stored on the local computer in the ypager.log text file of 
which the contents are not encoded at all to prevent onlookers from viewing the 
contents.
- Is enabled and disabled on a "global" basis, meaning once enabled the logging 
takes place for all communications on all IDs logged into and used in Messenger.
- Received PMs and all communications from senders that are not replied back to 
during the session are still logged in the text file (unlike Archiving's 
behavior).

Potential remote DoS vulnerability:

If in a highly 'active' chat room environment, PM or conference where there's 
multiple lines of text being sent back and forth at high rates there's the 
possibility that this log could get quite huge due to the actual packet-like 
structure being used for the logging and the additional details about each 
packet's contents being appended. This text file could grow into megabytes if 
enough elapsed time and activity has taken place. A Denial-of-Service condition 
could possibly be made if logging was activated and the attacker was able to 
force large amounts of PM or chat room data to the target's Messenger client 
forcing it to spend a lot of resources and time logging all of the data flood's 
contents to the text file, possibly resulting in a client crash or decreased 
system performance. This scenario would be all too real as PM bombing and 
various other sorts of flooding (booting) exist practically everywhere on 
Yahoo! Chat.

Logfile Analysis:

Recv 5/18 0:47:45| type=6, status=1, 
data=5torseq_tech4my_name_is_tr0nix244278527252PpuInhgAiRFwuCJpNC4=97114Hello 
there sir63;0640, len=121

The line above from ypager.log is an ASCII packet dump that indicates that a PM 
was received on the ID "torseq_tech" from the ID "my_name_is_tr0nix" 
timestamped with the date and time of receipt. The message here is "Hello there 
sir". The YMSG header status= field value is also provided as well as the YMSG 
service type being "6" in decimal (Private Message). The YMSG payload length, 
being 121 Bytes (derived from the YMSG 20 Byte header subtracted from the 
payload continuation) is also present telling us exactly how large the messages 
received were in octets. Due to the rawness of the structure from the dump a 
parser could be written to parse the type= value, status= value, data= and len= 
values along with the direction (Sent & Recv) and the timestamp to be displayed 
with better human-readability when viewing the log's contents as a whole. The 
miscellaneous letters and numbers within the data= field could also be stripped 
out if each service type's delimiters (being those numb
 ers and letters) were extracted from the actual viewable message text. 
Reconstructing whole chat room conversations, PM conversations, conferences and 
harvesting buddy lists, ignore lists and cookies etc. could all be accomplished 
for multiple IDs used from the computer's Messenger client.

Proof-of-Concept:

To manually activate the Logfile feature without prompting the user upon it's 
activation (physical access normally required) go here:
http://geocities.com/ken_thompson39/log/Use_Logfile.html

To trick users into activating this feature remotely you could have them visit 
a web page (like this one) or have them click on a hyperlink with the handler 
embedded. When they see the "Do you want to enable logging on Yahoo! 
Messenger?" Warning dialog box popup you could inform them that this just 
activates the Yahoo! Messenger Archive feature for them or something similar to 
get them to do it.
http://geocities.com/ken_thompson39/log/Logfile.html

Consequences:

Possible data theft by local users of the computer, compromised IDs and friends 
list communications (through cookie logins from the IDs and cookies gathered) 
via impersonation and increased risk for potential remote DoS attacks to be 
launched successfully due to such heavy loads of logging that can be induced.

Solution (temporary):

Set ypager.log permissions to Read-only or check for the logging when Messenger 
is started up each time it's used from a shared computer using the URL handler 
to disable it when signing in. Deleting the file before Messenger is started 
won't help as the file is recreated (it's needed even if the Logfile feature is 
disabled) if it isn't found in the Messenger folder.