Close

Results 1 to 4 of 4
  1. #1
    DF Jedi biggy7's Avatar
    Join Date
    Nov 2000
    Location
    North West
    Posts
    4,963
    Thanks
    69
    Thanked:        8
    Karma Level
    658

    Default anyway to hack Yahoo messenger?

    is there anyway to hack someone elses yahoo messenger, to see whos on their lists etc etc?

    if so let me know!!!

    nice1

  2. #2
    DF VIP Member
    unclex's Avatar
    Join Date
    Nov 2000
    Location
    MARS
    Posts
    2,067
    Thanks
    12
    Thanked:        33
    Karma Level
    316

    Default

    Title 27/5/2002
    Yahoo Messenger - Multiple Vulnerabilities

    Summary
    Security vulnerabilities in YIM have recently been found that can allow unauthorized execut1on of programs on a YIM user's PC via buffer overflows or Java or Visual Basic script execut1on added through YIM Content tabs. The net impact is to allow a relatively simple opportunity to hijack users' YIM client outright, and use it to attack or intrude into YIM users supposedly private information systems.

    Details
    Vulnerable systems:
    * Yahoo! Messenger version 5.0.0.1061

    Immune systems:
    * Yahoo! Messenger version 5.0.0.1065

    Buffer Overflows:
    When Yahoo! Messenger (YIM) is installed, it registers its own handler for URLs of the type "ymsgr". For example, in the Win98 Registry, this handler is HKEY_LOCAL_MACHINE\Software\CLASSES\ymsgr\shell\open\command that has a value for "(Default)" of "< Hard-drive:\Directories\ >YPAGER.EXE %1".

    Thus when any URL beginning with "ymsgr:" [no slashes, no "//"] is input into a web browser supported by integrated with YIM, "ypager.exe %1" is executed on the complete URL.

    With no proper bounds checking in the ymsgr protocol, attackers can overflow the YIM function calls "call", "sendim", "getimv", "chat", "addview", "addfriend" tags.

    For example, loading URL "ymsgr:call?(84)+8-8344332&p=DaHØ" into a YIM-integrated browser will cause ypager.exe will be executed and it will then execute the YIM/Net2Phone "Call Centre" application and prepare it to dial the phone number and name in the URL.

    If we input a string that has more than 260 bytes, we will crash YIM; 264 bytes will overwrite the EBP register; four (4) more bytes will overwrite the EIP register. In total, 268 bytes are needed to cause a buffer overflow.

    For example, this URL
    ymsgr:call?+< aaaaaaaaaaaaaaaa... >
    Would overwrite both the EBP (Extended Base Pointer) and EIP (Extended Instruction Pointer). The ellipsis, "...", represents an extension to 268 bytes, e.g. 0x61616161, of "a"s). From there, attackers could overwrite the EIP with any location in memory they choose, jump to their exploit code, and have the code run under the current user's normal privileges.

    The following are susceptible to BOFs (Buffer Overflows) as well. However, this time we need to punch in another 100 bytes:
    ymsgr:sendim?+< aaaaaaa..... 368 bytes here >
    ymsgr:chat?+< aaaaaaa..... 368 bytes here >
    ymsgr:addview?+< aaaaaaa..... 368 bytes here >
    ymsgr:addfriend?+< aaaaaaa..... 368 bytes here >

    Yahoo! Instant Messenger (YIM) Hi-Jack (Java, Visual Basic script execut1on)
    URLs beginning with "ymsgr:addview?" let users add browser-ready Yahoo! content to YIM's "Content Tabs" for viewing in YIM, without a web browser. YIM installs with default Tabs for Stocks, Weather, Calendar, News, etc.

    The following URL is provided to demonstrate this vulnerability. To use it, you must have Yahoo! Messenger (YIM) installed and integrated with a compatible web browser.

    ymsgr:addview?[Only registered and activated users can see links. ]

    This simple, completely harmless, sample exploit will start up YIM, if not already started, add a new "Content Tab" called "YIM Cal-Hack" to YIM's current set, then display a dialogue box with one option, "OK", then open the "YIM Cal-Hack" content, a quick, 9-click set of instructions to disable the exploit.

    To see the contents of DemH0.htm, simply remove the Yahoo! redirection parts of the exploit URL above or load this URL into any browser:
    [Only registered and activated users can see links. ]

    Note, however, that to completely remove the "YIM Cal-Hack" (before the user's next YIM upgrade a minor Windows registry edit is needed: simply exit YIM; "Find" the text string "YMSGR_test" or "YIM Cal-Hack", using Start-> Run->regedit->Edit->Find; then delete the YMSGR_test key; exit regedit; and restart YIM.

    Note also that DemH0.htm is not a standard HTML file -- though it calls three other standard HTML files. Instead, DemH0.htm contains only YIM- specific tags. In fact, if you insert the normal HTML opening tags, "<html> <head> <script>...", the exploit will not work and YIM will simply respond with a dialogue box stating, "Error adding view... The view format is invalid." -- As demonstrated by this URL:
    ymsgr:addview?[Only registered and activated users can see links. ]

    Threat significance
    Yahoo! Instant Messenger (YIM) Hi-Jack (above) demonstrates how potential attackers could replace or even visually replicate almost any YIM content and insert scripts into their own HTML that could be used to do almost anything on a YIM user's machine. For example, it would not be too difficult to modify the demonstration exploit above to request a YIM user's ID and password and send it to any email address or Internet URL.

    Minimum user intervention is required to exploit these vulnerabilities. Modifications of the ymsgr URLs provided about could readily be hidden in HTML pages or emails with text or images enticing YIM users to click on them. Further, scripts could be used to load such ymsgr-exploit URLs into pop-up browser windows with no direct user intervention.

    Vendor status:
    Yahoo! was informed of this vulnerability on 05/05/2002. In discussions with Yahoo Security the authors agreed to await Yahoo!'s release of a repaired version of Yahoo! Messenger (YIM). Yahoo! made the repaired version available for download and installation on 24/05/2002 at: [Only registered and activated users can see links. ]

    Additional information
    The information has been provided by Phuong Nguyen.
    Have Fun.





    U.N.C.L.E. X

    More UNCLEX than last week but less next :woot:

  3. #3
    DF VIP Member
    unclex's Avatar
    Join Date
    Nov 2000
    Location
    MARS
    Posts
    2,067
    Thanks
    12
    Thanked:        33
    Karma Level
    316

    Default

    ahoo! Instant Messenger (YIM) Hi-Jack 101-- Multiple
    Vulnerabilities & Demonstration Exploit

    Date : 05/02/2002
    Version : Yahoo! Messenger (5, 0, 0, 1061) [latest
    build at time]
    Platforms : Win98, Win2K, XP Pro (and likely all
    Windows versions)
    Severity : Medium - High

    Contents :
    01. Summary
    02. Software/Supplier Status
    03. Vulnerability #1: Buffer Overflows
    04. Vulnerability #2: Yahoo! Instant Messenger (YIM)
    Hi-Jack 101
    (Remote Java Visual Basic script execut1on)
    05. Threat Significance
    06. Credits


    01. Summary:

    At the end of 2001, Yahoo! Instant Messenger (YIM) was
    estimated by Jupiter Media Metrix to the ad-sponsored
    choice of some 12 million Instant Messaging (IM)
    Internet users whose numbers are increasing at over
    25% per annum,
    [Only registered and activated users can see links. ]

    Media Life, however, estimates the number of global IM
    users at the end of 2001 to be over 200 million with
    32%, or 64 million, using Yahoo! Messenger,
    [Only registered and activated users can see links. ]

    Security vulnerabilities in YIM have recently been
    found which can allow unauthorized execut1on of
    programs on a YIM user's PC via buffer overflows or
    Java or Visual Basic script execut1on added through
    YIM Content tabs. The net impact is to allow a
    relatively simple opportunity to hijack users' YIM
    client outright, and use it to attack or intrude into
    YIM users supposedly private information systems.

    02. Software/Supplier Status:

    Yahoo! was informed of this vulnerability on
    05/05/2002. In discussions with Yahoo Security the
    authors agreed to await Yahoo!'s release of a repaired
    version of Yahoo! Messenger (YIM). Yahoo! made the
    repaired version available for download and
    installation on 24/05/2002 at
    [Only registered and activated users can see links. ]


    Notably, Yahoo! removed some functionality from
    repaired YIM version. Specifically, according to
    Yahoo, the "addview" function (see below) has been
    removed until Yahoo! can rewrite it and provide
    sufficient security to preven exploitation of the
    Vulnerability #2 below.


    03. Vulnerability #1: Buffer Overflows

    When YaHoo! Messenger (YIM) is installed, it registers
    its own handler for URLs of the type "ymsgr". For
    example, in the Win98 Registry, this handler is
    HKEY_LOCAL_MACHINE\Software\CLASSES\ymsgr\shell\open\command
    which has a value for "(Default)" of
    "<Hard-drive:\Directories\>YPAGER.EXE %1".

    Thus when any URL beginning with "ymsgr:" [no slashes,
    no "//"] is input into a web browser supported by
    integrated with YIM, "ypager.exe %1" is executed on
    the complete URL.

    With no proper bounds checking in the ymsgr protocol,
    attackers can overflow the YIM function calls "call",
    "sendim", "getimv", "chat", "addview", "addfriend"
    tags.

    For example, loading URL
    "ymsgr:call?(84)+8-8344332&p=DaHØ" into a
    YIM-integrated browser will cause ypager.exe will be
    executed and it will then execute the YIM/Net2Phone
    "Call Centre" application and prepare it to dial the
    phone number and name in the URL.

    If we input a string that has more than 260 bytes we
    will crash YIM; 264 bytes will overwrite the EBP
    register; four (4) more bytes will overwrite the EIP
    register. In total, 268 bytes are needed to cause a
    buffer overflow.

    For example, this URL

    ymsgr:call?+<aaaaaaaaaaaaaaaa...>

    would overwrite both the EBP (Extended Base Pointer)
    and EIP (Extended Instruction Pointer). The elipsis,
    "...", represents an extension to 268 bytes, e.g,
    0x61616161, of "a"s). From there, attackers could
    overwrite the EIP with any location in memory they
    choose, jump to their exploit code and have the code
    run under the current user's normal privileges.

    The following are susceptible to BOFs (Buffer
    OverFlows) as well. But this time we need to punch in
    another 100 bytes:

    ymsgr:sendim?+<aaaaaaa..... 368 bytes here>
    ymsgr:chat?+<aaaaaaa..... 368 bytes here>
    ymsgr:addview?+<aaaaaaa..... 368 bytes here>
    ymsgr:addfriend?+<aaaaaaa..... 368 bytes here>

    Another susceptibility is illustrated by
    "ymsgr:getimv?+<aaaaaaa..... 368 bytes here>", as
    reported to BugTraq on February 21, 2002 by "Scott
    Woodward" <scott@phoenixtechie.com>. We include it in
    here in case anyone wants an example of this
    particular exploit.


    04. Vulnerability #2: Yahoo! Instant Messenger (YIM)
    Hi-Jack 101
    (Java, Visual Basic script execut1on)

    URLs beginning with "ymsgr:addview?" let users add
    browser-ready Yahoo! content to YIM's "Content Tabs"
    for viewing in YIM, without a web browser. YIM
    installs with default Tabs for Stocks, Weather,
    Calendar, News, etc.

    The following URL is provided to demonstrate this
    vulnerability. To use it, you must have YaHoo!
    Messenger (YIM) installed and integrated with a
    compatible web browser. (We only tested this exploit
    on Microsoft's Internet Explorer 5.0+.)

    ymsgr:addview?[Only registered and activated users can see links. ]

    This simple, completely harmless, sample exploit will
    start up YIM, if not already started, add a new
    "Content Tab" called "YIM Cal-Hack" to YIM's current
    set, then display a dialogue box with one option,
    "OK", then open the "YIM Cal-Hack" content, a quick,
    9-click set of instructions to disable the exploit.
    (Send it to your friends for a laugh. )

    To see the contents of DemH0.htm, simply remove the
    Yahoo! redirection parts of the exploit URL above or
    load this URL into any browser:

    [Only registered and activated users can see links. ]


    Note, however, that to completely remove the "YIM
    Cal-Hack" (before the user's next YIM upgrade a minor
    Windows registry edit is needed: simply exit YIM;
    "Find" the text string "YMSGR_test" or "YIM Cal-Hack",
    using Start-> Run->regedit->Edit->Find; then delete
    the YMSGR_test key; exit regedit; and restart YIM.

    Note also that DemH0.htm is not a standard HTML file
    -- though it calls three other standard HTML files.
    Instead, DemH0.htm contains only YIM- specific tags.
    In fact, if you insert the normal HTML opening tags,
    "<html> <head><script>...", the exploit will not work
    and YIM will simply respond with a dialogue box
    stating, "Error adding view... The view format is
    invalid." -- as demonstrated by this URL:

    ymsgr:addview?[Only registered and activated users can see links. ]


    05. Threat Significance

    Vulnerability #2 (above) demonstrates how potential
    attackers could replace or even visually replicate
    almost any YIM content and insert scripts into their
    own HTML that could be used to do almost anything on a
    YIM users machine. For example, it would not be too
    difficult to modify the demonstration exploit above to
    request a YIM user's ID and password and send it to
    any email address or Internet URL.

    Minimum user intervention is required to exploit these
    vulnerabilities. Modifications of the ymsgr URLs
    provided about coulg readily be hidden in HTML pages
    or emails with text or images enticing YIM users to
    click on them. Further, scripts could be used to load
    such ymsgr-exploit URLs into pop-up browser windows
    with no direct user intervention.

    Given there are now somewhere between 13-65 million
    Yahoo! Messenger users worldwide (as described in the
    Summary above), the potential impact of this
    vulnerability poses a highly significant threat to
    users who do not soon upgrade their Yahoo! Messenger
    clients.


    06. Credits:

    VICE Consulting, Technical: Phuong Nguyen
    VICE Consulting, Editorial: AD Marshall



    __________________________________________________
    Do You Yahoo!?
    Yahoo! - Official partner of 2002 FIFA World Cup
    [Only registered and activated users can see links. ]
    Have Fun.





    U.N.C.L.E. X

    More UNCLEX than last week but less next :woot:

  4. #4
    DF PiMP WideOn's Avatar
    Join Date
    Oct 2000
    Location
    England Near t
    Posts
    333
    Thanks
    0
    Thanked:        0
    Karma Level
    213

    Default

    hacks are plugged log time ago

    Script kiddy

    WideOn

Similar Threads

  1. Critical Bugs Discovered In Yahoo Messenger
    By BertRoot in forum PC Software
    Replies: 0
    Last Post: 7th June 2007, 08:52 AM
  2. Can't get rid of yahoo messenger
    By basil fawlty in forum PC Problems
    Replies: 2
    Last Post: 12th December 2006, 10:15 PM
  3. Yahoo messenger for your mobile phones
    By bimba in forum Mobile Software & Apps
    Replies: 8
    Last Post: 22nd September 2006, 05:35 AM
  4. Replies: 3
    Last Post: 9th June 2005, 12:00 PM
  5. yahoo messenger voice chat question
    By hronn in forum Microsoft Windows XP & Vista
    Replies: 1
    Last Post: 19th March 2005, 12:26 PM

Social Networking Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •