BugTraq
Yahoo Messenger Flaw allows injection of JavaScript into IM Windows Dec 05 2003 01:35PM
Chet Simpson (secure ytunnelpro com)


Title: Yahoo Messenger Flaw allows injection of JavaScript into IM Windows

Author: Chet Simpson (secure (at) ytunnelpro (dot) com [email concealed])

Date: December 5th, 2003

Host Platforms tested: WindowsME and WindowsXP (sp1a)

Target Applications tested: Yahoo Messenger 5.5 (Build 1249)

Yahoo Messenger 5.6 (Build 1355)

Target Applications affected: ??All?? versions of Yahoo Messenger

Components Affected: ypager.exe

Prerequisites: The IMVironment feature must be enabled

Possible Dangers: Password Theft

XSS Cookie Exploits

Application/System crashes

Example included: Yes

Summary:

--------

A vulnerability found in ypager.exe allows a website to inject [malicious] html,

scripts, and possibly activex controls into a Yahoo Messenger IM window.

Details:

--------

Yahoo Messenger installs a special URL handler to automatically launch any URL

starting with "ymsgr:". For Netscape, the YAuto.dll file is used. For Internet

Explorer the main executable (ypager.exe) is launched. The Messenger specific

URL protocol allows for automatically opening Instant Messages, Chatrooms,

and File Transfer sessions. The exploit documented here is specific to the

functionality provided by this URL protocol to initiate an Instant Messenging

session with another user. The format to initiate this session is as follows:

ymsgr:sendIM?USERNAME&unknownfield&IMVIRONMENT&unknownfield

One of the features of this undocumented URL protocol is the ability to

specify the "IMVironment" that should be used during the IM session.

When Yahoo Messenger attempts to load an IMVironment, the name of the

IMVironment is displayed at the top of the text area in the IM window.

If the IMVironment cannot be found or an error occurs a message will be

displayed at the bottom of the same window stating that the IMVironment

cannot be loaded. Although the message at the top of the window is filtered

to prevent injection of HTML and scripts the error message is not.

By placing an IFRAME tag in place of the IMVironment name an additional

web page can be loaded in the context of Yahoo Messenger. This is extremely

dangerous as the IE HTML Control does not necessarily adhere to the current

security and privacy settings selected by the user. This allows a webpage

containing scripts to be loaded and provides an environment which to execute

malicious scripts.

Example Scripts:

----------------

There are three (3) files included with in the example archive which

demonstrate the flaw outlined in this document:

ymsgr1.html - This is the primary 'host' file containing a Yahoo

Messenger link which initiates a Yahoo Messenger

IM session. Run this first and click on the link.

ymsgr2.html - This file is loaded by Yahoo Messenger into the IM

window once it opens and the IMVironment fails to load.

The sample JavaScript contained in this file may not

work in all cases but was chosen to show the severity

of this flaw. Once loaded it will attempt to gather the

Yahoo ID and if available the encoded password stored in

the system registry.

on all systems as some anti-virus software may block it.

ymsgr2p.html - Same as ymsgr2.html but displays the Yahoo ID and encoded

password in a popup window. This will not work with

popup or ad blockers.

ymsgr3.php - This file is accessed by ymsgr2.html and is responsible

for displaying the Yahoo ID and encoded password gathered

by the included script.

Take note that the chosen script may not work on all configurations. During

testing the IFRAME injection was blocked by Y!TunnelPro and by McAfee

Anti-Virus. Norton Anti-Virus Pro 2004 and IMSecurePro did not appear to

stop the script.

A demo of this script can be seen at the following URL:

http://www.ubabble.com/ymsgr1.html

The archive containing this file and the example scripts can be found here:

http://www.ubabble.com/ymsgr.zip - Zip format

http://www.ubabble.com/ymsgr.tgz - GZipped Tarball

Side Effects:

-------------

This exploit has an extremely nasty side effect. If the IFRAME is added to

the ymsgr URL in certain ways the IMVironment information will be saved in

such a way that Messenger will no longer log in. This requires that either

the IMVironment keys in the registry be cleaned or Yahoo Messenger to be

completely uninstalled.

Work around:

------------

Until Yahoo can fix the problem the exploit can be avoided by turning off

IMVironments in the Yahoo Messenger preferences.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus