Type: Stack-based Buffer Overflow [CWE-121]
Date found: 2014-05-02
Date publ...">
Type: Stack-based Buffer Overflow [CWE-121]
Date found: 2014-05-02
Date publ...">www.yahoo.com
Type: Stack-based Buffer Overflow [CWE-121]
Date found: 2014-05-02
Date publ...">www.yahoo.com
Type: Stack-based Buffer Overflow [CWE-121]
Date found: 2014-05-02
Date publ...">
名匿SSV:89307EPSS
Percentile
91.2%
<p>* ADVISORY INFORMATION</p><p>-----------------------</p><p>Product: Yahoo! Messenger</p><p>Vendor URL: <a href=“http://www.yahoo.com”>www.yahoo.com</a></p><p>Type: Stack-based Buffer Overflow [CWE-121]</p><p>Date found: 2014-05-02</p><p>Date published: 2015-09-03</p><p>CVSSv3 Score: 4,8 (AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L)</p><p>CVE: CVE-2014-7216</p><p> VERSIONS AFFECTED</p><p>--------------------</p><p>Yahoo! Messenger v11.5.0.228 (latest)</p><p>Yahoo! Messenger v10.0.0.2009</p><p>older versions may be affected too.</p><p>* INTRODUCTION</p><p>---------------</p><p>Yahoo Messenger is the premier instant messaging (IM) platform, used on</p><p>a wide variety of desktop and mobile clients. Millions of users</p><p>throughout the world depend on Yahoo Instant Messenger to manage their</p><p>social contacts, group lists, and presence information; hold real-time</p><p>instant communications; and perform data transfer to and from contacts</p><p>throughout the world. All instantly.</p><p>(from the vendor’s homepage)</p><p>* VULNERABILITY DESCRIPTION</p><p>----------------------------</p><p>Multiple buffer overflow vulnerabilities have been identified in Yahoo!</p><p>Messenger v11.5.0.228 and prior.</p><p>The application loads the content of the file emoticons.xml from two</p><p>different directories %PROGRAMFILES(x86)%Yahoo!MessengerCache and</p><p>%PROGRAMFILES(x86)%Yahoo!MessengerMediaSmileys when a user logins to</p><p>determine the available emoticons and their associated shortcuts, which</p><p>can be used in the chat window. But the application does not properly</p><p>validate the length of the string of the “shortcut” and “title” key</p><p>values before passing them as an argument to different lstrcpyW calls.</p><p>This leads to a stack-based buffer overflow condition, resulting in</p><p>possible code execution. An attacker needs to trick the victim to copy</p><p>an arbitrary emoticons package to the application directory in order to</p><p>exploit the vulnerability. Successful exploits can allow attackers to</p><p>execute arbitrary code with the privileges of the user running the</p><p>application. Failed exploits will result in a denial-of-service condition.</p><p>* REPORT TIMELINE</p><p>------------------</p><p>2014-05-02: Discovery of the vulnerability</p><p>2014-05-03: Reported via Yahoo! Bug Bounty program (hackerone.com)</p><p>2014-07-19: Vendor forwards the issue to the dev team</p><p>2014-08-31: Request for status update due to Yahoo’s 120-day policy </p><p>2014-09-10: Vendor is still evaluating the issue</p><p>2014-09-20: Vendor closes the issue as “Won’t fix” due to EOL </p><p>2014-10-01: MITRE assigns CVE-2014-7216</p><p>2014-10-05: Request to disclose the bug publicly</p><p>2015-08-14: Vendor approves the disclosure</p><p>2015-09-03: Advisory released</p>
PROOF-OF-CONCEPT (VULNERABLE CODE PARTS)
-------------------------------------------
YahooMessenger.exe:
title value:
0051D2C1 PUSH DWORD PTR DS:[EAX] ; /String2
0051D2C3 LEA EAX,DWORD PTR SS:[EBP] ; |
0051D2C6 PUSH EAX ; |String1
0051D2C7 CALL DWORD PTR DS:[<&KERNEL32.lstrcpyW>; lstrcpyW
shortcut value:
0051D326 PUSH DWORD PTR DS:[ESI+4] ; /String2
0051D329 LEA EAX,DWORD PTR SS:[EBP] ; |
0051D32C PUSH EAX ; |String1
0051D32D CALL DWORD PTR DS:[<&KERNEL32.lstrcpyW>>; lstrcpyW
