Jump to content
xisto Community
Sign in to follow this  
tansqrx

Critical Bug In Yahoo! Messenger Webcam Activex

Recommended Posts

This bug first came to light on Information Week’s website yesterday, June 6, 2007 (http://www.informationweek.com/critical-bugs-discovered-in-yahoo-messenger/d/d-id/1055907). The original research group is the well known eEye (https://www.beyondtrust.com/?s=patch+Tuesday), which said the vulnerability was serious and could lead to remote code execution. Since the original report it has also been posted by Computer World (http://forums.xisto.com/no_longer_exists/) that a separate research named “Danny” has released the exploit into the wild. In a follow-up today he also posted a second exploit. All of the discussions can be found at http://forums.xisto.com/no_longer_exists/.

Share this post


Link to post
Share on other sites

It looks like the fun may be over. Yahoo! has announced the release of a patch to correct the buffer overflow in the webcam ActiveX control. The official Yahoo! annoucment of the patch is located at http://forums.xisto.com/no_longer_exists/. This is a very quick turn around for Yahoo! as the exploit was only public for three days before a patch was issued. More detail can be found at http://forums.xisto.com/no_longer_exists/. The patch does require you to completely reinstall Messenger and has not been automatically pushed out as of late Friday on June 8, 2007. Since the patch is not automatic the fun may continue for at least a few more days.

Share this post


Link to post
Share on other sites

As a public service I decided to create a page that checks for this vulnerability. The start page can be found at http://forums.xisto.com/no_longer_exists/.

 

On June 6, 2007 eEye (https://www.beyondtrust.com/?s=patch+Tuesday) security published a report stating the Yahoo! Messenger was susceptible to a buffer overflow. The next day a Yahoo! spokesperson let it slip that the problem was in the webcam ActiveX control that allows a user to display his webcam on a webpage. Shortly after that exploit code was published on the Full Disclosure mailing list (http://forums.xisto.com/no_longer_exists/). There are actually two different components that can be exploited, ywcupl.dll (Webcam Upload) and Ywcvwr.dll (Webcam Download).

 

What to expect

Here you can test to see if you are vulnerable to this particular exploit. Be warned that this may cause the following:

⢠Crash of web browser

⢠System becomes unstable

⢠Antivirus screaming bloody murder

If you are vulnerable then your web browser should crash. I have found that it is more likely to happen in IE than Firefox.

 

Ywcvwr.dll Runs Calc.exe

This was the first proof of concept. It uses a fairly standard payload that starts the Windows calculator.

 

ywcupl.dll Runs Freecell.exe

The second proof of concept is certainly much more nasty. It will download a program from anywhere on the Internet and then run that program. In my example I download Free.exe and then run it. Free.exe simply opens a new process for the Free Cell Windows game. Free.exe is written in VB.NET so you will have to have the .NET Framework to run it. Certainly you could use your imagination and see that this is the ultimate exploit.

 

References

⢠http://forums.xisto.com/no_longer_exists/

⢠http://www.informationweek.com/critical-bugs-discovered-in-yahoo-messenger/d/d-id/1055907

⢠http://forums.xisto.com/no_longer_exists/

⢠http://forums.xisto.com/no_longer_exists/

⢠http://www.securityfocus.com/archive/1/470861

⢠http://www.zdnet.com/topic/security/?p=274

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.