this is all i could find on it so far


Yahoo Instant Messenger YAUTO.DLL buffer overflow
=================================================

PROGRAM: Yahoo Instant Messenger (YIM)
HOMEPAGE: http://messenger.yahoo.com
VULNERABLE VERSIONS: 5.6.0.1347 and below


DESCRIPTION
=================================================

YIM is one of the most popular instant messenger. This is a cool product,
that allows me to chat with my gf from a very long distant :-).


DETAILS
=================================================

YAUTO.DLL is an ActiveX/COM component that comes with Yahoo
Install Messenger. YAUTO.DLL is registered under a ProgID called
"YAuto.NSAuto.1". In this component, there is a function named
Open(String Url) that will cause a buffer overflow if argument Url is passed
with
a long string. Since this is an ActiveX component, the vulnerability can
be exploited just by making a website with the correct CLSID of
the ActiveX and call the function directly. We have successfully exploited
the vulnerability by making a website that can download a trojan and
execute it silently.



WORKAROUND
=================================================

Yahoo has been contacted at enterprisesales@yahoo-inc.com (this
is the only email that I can find on the Yahoo Messenger Site) but
doesn't response after 1 month. The workaround solution is deleting
the YAUTO.DLL file in your YIM directory.


CREDITS
=================================================

Discovered by Tri Huynh from SentryUnion

=+=+=+=+=+=+=+=+=+=+=+=+=+=

thanks for the heads up Tedob1

I installed YIM for win32 a few weeks and i have 5.6.0.1351

Was exploit code released, or just an advisory?

Useless cos most ppl will have 5.6.0.1351 or 5.6.0.1355 by now. Unless ppl deleted their yupdate.exe manually they will never be more than 1 update behind.

im searching for anything more now if i find something ill post it. this just came out yesterday.

i stand corrected. your absolutly right.

so why do they even bother looking for vulns if this version for all intents and purposes doesn't exist anymore

The main point of the advisory was that YIM was wrought with problems. The author said he would likely be posting more later. The exploit might still work with current versions and other similar exploits likely exist (according to the author).

Yahoo Messenger Flaw allows injection of JavaScript into IM Windows
@ Exploits -> Other Dec 06 2003, 14:11 (UTC+0)

Title: Yahoo Messenger Flaw allows injection of JavaScript into IM Windows

Author: Chet Simpson (secure@ytunnelpro.com)
Date: December 5th, 2003
Host Platforms tested: WindowsME and WindowsXP (sp1a)
Target Applications tested: Yahoo Messenger 5.5 (Build 1249)
Yahoo Messenger 5.6 (Build 1355)
Target Applications affected: ??All?? versions of Yahoo Messenger
Components Affected: ypager.exe
Prerequisites: The IMVironment feature must be enabled
Possible Dangers: Password Theft
XSS Cookie Exploits
Application/System crashes
Example included: Yes



Summary:
--------
A vulnerability found in ypager.exe allows a website to inject [malicious] html,
scripts, and possibly activex controls into a Yahoo Messenger IM window.



Details:
--------

Yahoo Messenger installs a special URL handler to automatically launch any URL
starting with "ymsgr:". For Netscape, the YAuto.dll file is used. For Internet
Explorer the main executable (ypager.exe) is launched. The Messenger specific
URL protocol allows for automatically opening Instant Messages, Chatrooms,
and File Transfer sessions. The exploit documented here is specific to the
functionality provided by this URL protocol to initiate an Instant Messenging
session with another user. The format to initiate this session is as follows:

ymsgr:sendIM?USERNAME&unknownfield&IMVIRONMENT&unknownfield


One of the features of this undocumented URL protocol is the ability to
specify the "IMVironment" that should be used during the IM session.
When Yahoo Messenger attempts to load an IMVironment, the name of the
IMVironment is displayed at the top of the text area in the IM window.
If the IMVironment cannot be found or an error occurs a message will be
displayed at the bottom of the same window stating that the IMVironment
cannot be loaded. Although the message at the top of the window is filtered
to prevent injection of HTML and scripts the error message is not.

By placing an IFRAME tag in place of the IMVironment name an additional
web page can be loaded in the context of Yahoo Messenger. This is extremely
dangerous as the IE HTML Control does not necessarily adhere to the current
security and privacy settings selected by the user. This allows a webpage
containing scripts to be loaded and provides an environment which to execute
malicious scripts.


Example Scripts:
----------------

There are three (3) files included with in the example archive which
demonstrate the flaw outlined in this document:

ymsgr1.html - This is the primary 'host' file containing a Yahoo
Messenger link which initiates a Yahoo Messenger
IM session. Run this first and click on the link.

ymsgr2.html - This file is loaded by Yahoo Messenger into the IM
window once it opens and the IMVironment fails to load.
The sample JavaScript contained in this file may not
work in all cases but was chosen to show the severity
of this flaw. Once loaded it will attempt to gather the
Yahoo ID and if available the encoded password stored in
the system registry.

ymsgr2p.html - Same as ymsgr2.html but displays the Yahoo ID and
encoded password in a popup window. This will not work with
popup or ad blockers.

ymsgr3.php - This file is accessed by ymsgr2.html and is responsible
for displaying the Yahoo ID and encoded password gathered
by the included script.


Take note that the chosen script may not work on all configurations. During
testing the IFRAME injection was blocked by Y!TunnelPro and by McAfee
Anti-Virus. Norton Anti-Virus Pro 2004 and IMSecurePro did not appear to
stop the script.


A demo of this script can be seen at the following URL:

h++p://www.ubabble.com/ymsgr1.html


The archive containing this file and the example scripts can be found here:

h++p://www.ubabble.com/ymsgr.zip - Zip format

h++p://www.ubabble.com/ymsgr.tgz - GZipped Tarball


Side Effects:
-------------

This exploit has an extremely nasty side effect. If the IFRAME is added to
the ymsgr URL in certain ways the IMVironment information will be saved in
such a way that Messenger will no longer log in. This requires that either
the IMVironment keys in the registry be cleaned or Yahoo Messenger to be
completely uninstalled.

Work around:
------------

Until Yahoo can fix the problem the exploit can be avoided by turning off
IMVironments in the Yahoo Messenger preferences.