mailing list archives
Yahoo! Messenger URL Handler Remote DoS Vulnerability
From: Torseq Tech. <bindshell () gmail com>
Date: 14 May 2005 03:41:32 -0000
Title: Yahoo! Messenger URL Handler Remote DoS Vulnerability
Discovered By: Torseq Tech. <bindshell () gmail com>
Date: Friday, May 13, 2005
Application affected: Yahoo! Messenger ver. 5.x - 6.0 Windows (all builds), *Nix/Mac ? (not tested)
Vendor: Yahoo! Inc.
Proof-of-Concept included: Yes
Fix Available: Yes
Description: A Denial-of-Service attack can be launched against Yahoo! Messenger which can be exploited both locally
and remotely through IFRAMEs or by tricking the target into clicking on a YMSGR: URL handler link when in chat or in
pm. A remote user can disconnect Yahoo! Messenger users via e-mail or by having the victim visit a web page.
A Denial-of-Service vulnerability exists in the way Yahoo! Messenger processes arguments in their YMSGR: URL handler
links. By crafting the links with certain characters after the first colon or after the third colon (after YMSGR:) we
can create malformed packets to be sent to Yahoo!'s YMSG servers. When these packets are sent Yahoo! will immediately
disconnect us from our current chat session.
In the past the YMSGR: handler has been abused to cause buffer overflows in Yahoo! Messenger and to remotely DoS
causing errors which couldn't be recovered from until it was restarted.
By crafting YMSGR: links specifically after the first or third colons, preceding with an ampersand (&), we can force
Yahoo! Messenger to generate room login packets that are malformed with whatever data we would like to send to the
Yahoo! YMSG servers causing a disconnect upon receipt.
Example of a 'legit' use of the YMSGR: URL handler to join a room:
The above link would instruct Yahoo! Messenger to send a join room request packet to the server, the room in this
example being ChatterBox:2. Breaking down the arguments we have the room name, room # and room space #, all needed in
the complete YMSGR: "chat?" link (or Messenger 6.0 won't send any packets if this syntax isn't followed). All of this
together would be used to specifically enter a given room through invoking the handler.
Interesting to point out that after the room name, room # and rmspace # are supplied the room # and rmspace #s aren't
even used in the request packet so even though we're specifying a specific room to join the packets don't reflect that
and instead we're sent to a ChatterBox room # at random by Yahoo! This apparently is a bug in itself since the only way
to actually have Messenger send up the room request packet is to include the three colons even though the arguments
behind them aren't used (until now).
Example of a malicious use of the YMSGR: URL handler to disconnect a Messenger user:
When created and used in this manner Yahoo! Messenger will accidentally "corrupt" the room login and/or room join
request packets with whatever data we'd like to add, injected after the last ampersand in the link.
This example here would insert a smiley face into a 0x00 0x96 room login request packet and will be rejected by the
server immediately disconnecting the target:
59 4D 53 47 00 0C 00 00 00 46 YMSG.....F
00 96 00 00 00 00 9D 9E 1F F9 31 30 39 C0 80 6B ......ù109Àk
65 6E 5F 74 68 6F 6D 70 73 6F 6E 33 39 C0 80 31 en_thompson39À1
C0 80 3C 28 2A 5F 2A 29 3E C0 80 36 C0 80 61 62 À<(*_*)>À6Àab
63 64 65 C0 80 39 38 C0 80 75 73 C0 80 31 33 35 cdeÀ98ÀusÀ135
C0 80 79 6D 36 2C 30 2C 30 2C 31 39 32 32 C0 80 Àym6,0,0,1922À
The smiley face in this packet, between the YMSG delimiters "À1À" and "À6À", should really have been the id again,
By embedding this into IFRAMEs and links in web pages/e-mails we can remotely disconnect the target. Since link's
contents sometimes look obvious (when hovering over them with the mouse pointer) we could possibly get around the
suspicion (or add to it?) by encoding the handler arguments as hex chars.
2 obfuscated link examples:
<a href="YMSGR:%63%68%61%74%3F:::%26%26%26%26">Click Here</a>
<a href="YMSGR:Chat?:::%26%26%26%26">Click Here</a>
An IFRAME example:
*Note: If target is not in a chat room when the link is clicked or IFRAME containing the handler link is launched an ad
may pop up in the "Connecting to Yahoo! Chat" window. After the ad loads clicking on "Enter Chat" will cause you to be
disconnected. If the target is already in chat at the time or if an ad doesn't pop up when they're not in chat they'll
be disconnected immediately.
In the Windows registry delete the string value "c:\progra~1\yahoo!\messenger\ypager.exe %1" under
HKEY_CLASSES_ROOT\ymsgr\shell\open\command, or point to another file or location (preferably a file that won't be ran
in multiple instances). As a result all future YMSGR: links will cease to operate under Yahoo! Messenger.
- Yahoo! Messenger URL Handler Remote DoS Vulnerability Torseq Tech . (May 13)