|
Vulnerability Development
mailing list archives
Yahoo pager
From: Blake Frantz <blake () MAIL MC NET>
Date: Wed, 30 Aug 2000 14:51:59 -0500
All,
I don't know if this applies to the list or if it is even exploitable by
adding hostile code at the end of the URL. I bring it up because of the
popularity of Yahoo Messenger.
When a URL is presented that exceeds 1024 characters, Yahoo messenger
creates an application exception (Number c0000005, access violation).
I tested this on:
Yahoo Messenger 3,0,0,770
MyYahoo Module 2,0,0,348
on
Windows 2000 Professional 5.000.2195.
and YM generated the exception.
I tested another box:
Yahoo Messenger 3,0,0,769
MyYahoo Module 2,0,0,344
on
Windows 98 SE 4.10.2222 A
and nothing significant happened.
This is what Dr. Watson Logs Say on the Win2K Box:
(the bottom of the log has the state dump)
<snip>
Application exception occurred:
App: (pid=1268)
When: 8/30/2000 @ 00:06:54.717
Exception number: c0000005 (access violation)
*----> System Information <----*
Computer Name: PENNY
User Name: Administrator
Number of Processors: 1
Processor Type: x86 Family 6 Model 5 Stepping 2
Windows 2000 Version: 5.0
Current Build: 2195
Service Pack: None
Current Type: Uniprocessor Free
Registered Organization: XXXXXXXXX
Registered Owner: XXXXXXXX
*----> Task List <----*
0 Idle.exe
8 System.exe
132 smss.exe
160 csrss.exe
180 winlogon.exe
208 services.exe
220 lsass.exe
380 svchost.exe
408 SPOOLSV.exe
440 svchost.exe
476 regsvc.exe
492 mstask.exe
528 snmp.exe
576 winmgmt.exe
612 inetinfo.exe
736 explorer.exe
992 winampa.exe
1140 3cshtdwn.exe
1152 3cmlink.exe
1224 MDM.exe
548 OUTLOOK.exe
716 ntvdm.exe
1212 IEXPLORE.exe
1268 YPager.exe
1300 drwtsn32.exe
0 _Total.exe
(00400000 - 0048D000)
(77F80000 - 77FF9000)
(77E80000 - 77F36000)
(77E10000 - 77E75000)
(77F40000 - 77F7C000)
(76B30000 - 76B6E000)
(77C70000 - 77CBA000)
(77DB0000 - 77E0A000)
(77D40000 - 77DAF000)
(77B50000 - 77BDA000)
(775A0000 - 777E0000)
(78000000 - 78046000)
(77A50000 - 77B45000)
(65340000 - 653D5000)
(77820000 - 77827000)
(759B0000 - 759B6000)
(77570000 - 775A0000)
(75050000 - 75058000)
(75030000 - 75044000)
(75020000 - 75028000)
(10000000 - 10010000)
(00230000 - 00239000)
(012E0000 - 0131F000)
(77CC0000 - 77D40000)
(01640000 - 01669000)
(63000000 - 63073000)
(76B20000 - 76B25000)
(772B0000 - 7731C000)
(01950000 - 01979000)
(71500000 - 71611000)
(77850000 - 7788C000)
(770C0000 - 770E3000)
(76D90000 - 76DE3000)
(1A400000 - 1A472000)
(75D50000 - 75DD2000)
(70000000 - 70242000)
(4A000000 - 4A02C000)
(4AA00000 - 4AA15000)
(02510000 - 0252D000)
(02860000 - 0287B000)
(02990000 - 029A8000)
(774E0000 - 77512000)
(774C0000 - 774D1000)
(77530000 - 77552000)
(77830000 - 7783E000)
(77520000 - 77525000)
(77C10000 - 77C6D000)
(75170000 - 751BF000)
(77BE0000 - 77BEF000)
(751C0000 - 751C6000)
(75150000 - 7515F000)
(77950000 - 77979000)
(77980000 - 779A4000)
(77840000 - 7784C000)
(75AC0000 - 75AE8000)
(777E0000 - 777E8000)
(777F0000 - 777F5000)
(74FD0000 - 74FE1000)
(75010000 - 75017000)
(75E60000 - 75E7A000)
(77560000 - 77569000)
(77400000 - 77408000)
(77410000 - 77423000)
State Dump for Thread Id 0x4e4
eax=00000001 ebx=0018da51 ecx=0012fe88 edx=77e694a0 esi=0012f958
edi=00000daf
eip=61616161 esp=0012e7e8 ebp=61616161 iopl=0 nv up ei pl zr na po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00000246
function: <nosymbols>
</snip>
 By Date 
By Thread
Current thread:
- Yahoo pager Blake Frantz (Aug 30)
|
Intro
