Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Multiple Vulnerabilities in Yahoo! Messenger (Filename Spoofing, Pr

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Multiple Vulnerabilities in Yahoo! Messenger (Filename Spoofing, Privilege Escalation)
Date: 24 Feb 2005 17:06:58 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Multiple Vulnerabilities in Yahoo! Messenger (Filename Spoofing, Privilege 
Escalation)
------------------------------------------------------------------------


SUMMARY

 <http://messenger.yahoo.com/> Yahoo! Messenger is "a free instant 
messaging service that you can use to communicate with other people who 
also use Yahoo! Messenger".

Yahoo! Messenger contains multiple vulnerabilities with the file transfer 
spoofing, and with audio setup wizard privilege escalation.

DETAILS

Vulnerable Systems:
 * Yahoo! Messenger version 6.0.0.1750 (for Windows)

Immune Systems:
  * Yahoo! Messenger version 6.0.0.1921 (for Windows) or newer

Audio Setup Wizard Privilege Escalation
Yahoo! Messenger contains a vulnerability which can be exploited by 
malicious, local users to gain escalated privileges.

The vulnerability is caused due to a combination of weak default directory 
permissions and the Audio Setup Wizard (asw.dll) invoking the "ping.exe" 
utility insecurely during the connection testing phase. This can be 
exploited to execute arbitrary code with the privileges of another user by 
placing a malicious "ping.exe" file in the application's "Messenger" 
directory.

Successful exploitation requires that a user runs the Audio Setup Wizard 
and that the application has been installed in a non-default location (not 
as a subdirectory to the "Program Files" directory).

File Transfer Filename Spoofing
Yahoo! Messenger wraps overly long filenames and shows only the first line 
of the filename in the file transfer dialogs. The file extension can thus 
be spoofed for a filename containing a whitespace and two file extensions.

Successful exploitation requires that the option "Hide extension for known 
file types" is enabled in Windows (default setting).

Disclosure Timeline:
04/01/2005 - Vendor notified about Privilege Escalation.
                    - Vulnerability of Filename Spoofing was discovered.
10/01/2005 - Vendor notified about Filename Spoofing.
14/01/2005 - Vendor contacted second time about Priviliege Escalation.
17/01/2005 - Vendor response About Priviliege Escalation.
19/01/2005 - Vendor confirms the vulnerability of Filename Spoofing.
16/02/2005 - Vendor issues updated version for the Privilege Escalation.
17/02/2005 - Vendor issued fixed version for the Filename Spoofing.
18/02/2005 - Public disclosure.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:che@secunia.com> Carsten H. 
Eiram and by  <mailto:as@secunia.com> Andreas Sandblad.
The original article about Privilege Escalation can be found at:  
<http://secunia.com/secunia_research/2004-6/advisory/> 
http://secunia.com/secunia_research/2004-6/advisory/
The original article about Filename Spoofing can be found at:  
<http://secunia.com/secunia_research/2005-2/advisory/> 
http://secunia.com/secunia_research/2005-2/advisory/



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Multiple Vulnerabilities in Yahoo! Messenger (Filename Spoofing, Privilege Escalation), SecuriTeam <=
Previous by Date:  [TOOL] IKE-Scan - VPN Scanning and Identification Tool, SecuriTeam
Next by Date:  [UNIX] Arbitrary File Disclosure and Unlink Vulnerabilities in phpBB, SecuriTeam
Previous by Thread:  [TOOL] IKE-Scan - VPN Scanning and Identification Tool, SecuriTeam
Next by Thread:  [UNIX] Arbitrary File Disclosure and Unlink Vulnerabilities in phpBB, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]