Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Possible Yahoo Messenger security issues

Possible Yahoo Messenger security issues

From: Eddie Chandler <echandler_at_taos.com>
Date: 4 Jan 2002 19:21:11 -0000
('binary' encoding is not supported, stored as-is) Dear all,
I believe I have found a security issue to do with
Yahoo Messenger, specifically one of the programs
that comes with it - YSERVER.EXE

>From a pc running Windows98, dialed into an ISP
with PPP - no firewall - I noticed a slowdown on the
machine. The task list revealed YSEVER.EXE, a
program I had no knowledge of and had not invoked
myself. A file-search of yser*.* returned
YSERVER.EXE in the directory that Yahoo
Messenger had been installed into and a log file,
YSERVER.LOG

I terminated the program, dropped the connection and
looked at the log file. Within it were multiple ip
addresses from which "GET... cmd.exe" commands,
as per Nimda/CodeRed, were coming from. This led
me to believe that YSERVER.EXE may be advertising
itself as a webserver.

To verify that the ip addresses were infected, after
renaming the executable I went to the homepage of
one of them and received a download message of
a .EML file coupled with a warning from Norton Anti-
Virus that the file being offered was infected with with
Nimda.

I decided to search the web for information about
YSERVER.EXE and found only one pertinent piece of
information in
http://pluglist.mybutt.net/pipermail/plug-security/2001-
November/000106.html posted by Craig Carey.

Thus far I have found an extreme lack of information
on the web, including on Yahoos site itself, about this
executable and how it is called/why it advertises itself
without the user being aware.

Given the above occurrence I find myself wondering,
especially after the AIM hole exposure, what the
ramifications are for Yahoo Messenger? Obviously,
with the YSERVER advertising itself it is making a a
user a target for not only probes but also DOS
attacks but, does it go further than that? Can
YSERVER be buffer-overflowed and the machine
exploited/wiped/have malicious code installed to
partake in a DDOS?

Unfortunately program analysis is not my field and I
have no knowledge of using debuggers or how to
apply methodologies to try to reproduce the
invocation of programs like this so I am posting here,
having been advised to by Elias Levy, for those of you
with the expertise to analyse my findings and see if
this is actually as issue.


System on which behaviour happened: Pentium 233,
80MB RAM, Windows 98, IE5.5SP2 (OS & IE fully
patched)
Connected to internet via PPP
Programs being run at time of discovery: ZMUD,
Yahoo Messenger, Eudora, TheCleaner, NukeNabber
(YSERVER found to be running but not invoked by
user action)
Version of Yahoo Messenger: 4,1,0,998
Date of occurrence: Dec 24th, 2001
(Yahoo notified via Customer feedback on website
that evening)

Note: YSERVER.EXE also found in current build
5,0,0,1052


thank you for your time,
Eddie Chandler
Sys-Admin
NT4 MCSE, Win2K Pro MCP
www.taos.com
Received on Jan 04 2002
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos