YM Flaw allows injection of JavaScript in IM
trang này đã được đọc lần
Title: Yahoo Messenger Flaw allows injection of JavaScript into IM Windows
Author: Chet Simpson
Date: December 5th, 2003
Host Platforms tested: WindowsME and WindowsXP (sp1a)
Target Applications tested: Yahoo Messenger 5.5 (Build 1249)
Yahoo Messenger 5.6 (Build 1355)
Target Applications affected: ??All?? versions of Yahoo Messenger
Components Affected: ypager.exe
Prerequisites: The IMVironment feature must be enabled
Possible Dangers: Password Theft
XSS Cookie Exploits
Application/System crashes
Summary:
--------
A vulnerability found in ypager.exe allows a website to inject [malicious]
html,
scripts, and possibly activex controls into a Yahoo Messenger IM window.
Details:
--------
Yahoo Messenger installs a special URL handler to automatically launch any URL
starting with "ymsgr:". For Netscape, the YAuto.dll file is used. For Internet
Explorer the main executable (ypager.exe) is launched. The Messenger specific
URL protocol allows for automatically opening Instant Messages, Chatrooms,
and File Transfer sessions. The exploit documented here is specific to the
functionality provided by this URL protocol to initiate an Instant Messenging
session with another user. The format to initiate this session is as follows:
ymsgr:sendIM?USERNAME&unknownfield&IMVIRONMENT&unknownfield
One of the features of this undocumented URL protocol is the ability to
specify the "IMVironment" that should be used during the IM session.
When Yahoo Messenger attempts to load an IMVironment, the name of the
IMVironment is displayed at the top of the text area in the IM window.
If the IMVironment cannot be found or an error occurs a message will be
displayed at the bottom of the same window stating that the IMVironment
cannot be loaded. Although the message at the top of the window is filtered
to prevent injection of HTML and scripts the error message is not.
By placing an IFRAME tag in place of the IMVironment name an additional
web page can be loaded in the context of Yahoo Messenger. This is extremely
dangerous as the IE HTML Control does not necessarily adhere to the current
security and privacy settings selected by the user. This allows a webpage
containing scripts to be loaded and provides an environment which to execute
malicious scripts.
Take note that the chosen script may not work on all configurations. During
testing the IFRAME injection was blocked by Y!TunnelPro and by McAfee
Anti-Virus. Norton Anti-Virus Pro 2004 and IMSecurePro did not appear to
stop the script.