[GTER] Yahoo Instant Messenger YAUTO.DLL buffer overflow

Fabiano fabiano.br at uol.com.br
Thu Dec 4 20:56:19 -02 2003





  Yahoo Instant Messenger YAUTO.DLL buffer overflow

  PROGRAM: Yahoo Instant Messenger (YIM)
  HOMEPAGE: http://messenger.yahoo.com


  YIM is one of the most popular instant messenger. This is a cool product,
  that allows me to chat with my gf from a very long distant :-).


  YAUTO.DLL is an ActiveX/COM component that comes with Yahoo
  Install Messenger. YAUTO.DLL is registered under a ProgID called
  "YAuto.NSAuto.1". In this component, there is a function named
  Open(String Url) that will cause a buffer overflow if argument Url is
  a long string. Since this is an ActiveX component, the vulnerability can
  be exploited just by making a website with the correct CLSID of
  the ActiveX and call the function directly. We have successfully exploited
  the vulnerability by making a website that can download a trojan and
  execute it silently.


  Yahoo has been contacted at enterprisesales at yahoo-inc.com (this
  is the only email that I can find on the Yahoo Messenger Site) but
  doesn't response after 1 month. The workaround solution is deleting
  the YAUTO.DLL file in your YIM directory.


  Discovered by Tri Huynh from SentryUnion


  The information within this paper may change without notice. Use of
  this information constitutes acceptance for use in an AS IS condition.
  There are NO warranties with regard to this information. In no event
  shall the author be liable for any damages whatsoever arising out of
  or in connection with the use or spread of this information. Any use
  of this information is at the user's own risk.


  Please send suggestions, updates, and comments to: trihuynh at zeeup.com

More information about the gter mailing list