Oath: Yahoo! Messenger v11.5.0.228 emoticons.xml shortcut Value Handling Stack-Based Buffer Overflow

ID H1:10767
Type hackerone
Reporter mrtuxracer
Modified 2015-08-14T21:43:11


Thank you for your submission to Yahoo’s Bug Bounty program. While we recognize the effort that you put into the research and writing of a report for us to evaluate, we will take your report into consideration for any future releases. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program. The application loads the content of the file emoticons.xml from %PROGRAMFILES(x86)%\Yahoo!\Messenger\Cache when a user logins to determine the available emoticons and their associated shortcuts, which can be used in the chat window. But the application does not properly validate the length of the string of the shortcut value before passing it as an argument to a lstrcpyW call. This leads to a stack-based buffer overflow condition, resulting in possible code execution.

More information can be found at https://www.rcesecurity.com/2015/09/cve-2014-7216-a-journey-through-yahoos-bug-bounty-program/