Security Advisory Name: Yahoo! Audio Conferencing ActiveX control buffer overflow. Systems Affected : Yahoo! Chat, Yahoo! Messanger. Severity : High Remote exploitable : Yes Author: Cesar Cerrudo. Date: 06/01/03 Advisory Number: CC060303
Legal Notice: This Advisory is Copyright (c) 2003 Cesar Cerrudo. You may distribute it unmodified and for free. You may NOT modify it and distribute it or distribute parts of it without the author's written permission. You may NOT use it for commercial intentions (this means include it in vulnerabilities databases, vulnerabilities scanners, any paid service, etc.) without the author's written permission. You are free to use Yahoo! advisory details for commercial intentions. Disclaimer: The information in this advisory is believed to be true though it may be false. The opinions expressed in this advisory are my own and not of any company. The usual standard disclaimer applies, especially the fact that Cesar Cerrudo is not liable for any damages caused by direct or indirect use of the information or functionality provided by this advisory. Cesar Cerrudo bears no responsibility for content or misuse of this advisory or any derivatives thereof. Overview: Yahoo! Audio Conferencing is an ActiveX control used by Yahoo! Chat (a web based service) and Yahoo! Messenger (a win32 client application), this ActiveX control has a stack based overflow vulnerability. Details: When a long value is set in Yahoo! Audio Conferencing ActiveX control's "hostname" property and then the "createandjoinconference" method is called a stack based buffer overflow occurs. To reproduce the overflow just cut-and-paste the following: ------sample.htm----------- <OBJECT id=yahooaudio type="application/x-oleobject" classid="clsid:2B323CD9-50E3-11D3-9466-00A0C9700498"> </OBJECT> <script> yahooaudio.hostname="longstringheremorethan500chars"; yahooaudio.createandjoinconference(); </script> --------------------------- This ActiveX control is marked as safe, so the above sample will run without being blocked in default Internet Explorer security configuration. This vulnerability can be exploited to run arbitrary code. Vendor Status : Yahoo! was contacted on 05/12/03, we work together and Yahoo! released a fix. Patch Available : Yahoo! Messenger users will be prompted to update upon sign-in. Yahoo! Chat users will be served the new ActiveX control when entering a chat room. The update page will also be linked to from the Yahoo! Chat and Yahoo! Messenger home pages. NEW SECURITY LIST!!!: For people interested in SQL Server security, vulnerabilities, SQL injection, etc. Join at: [EMAIL PROTECTED] http://groups.yahoo.com/group/sqlserversecurity/ __________________________________ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html