Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Yahoo! research
Posted by: nemessis
Date: January 05, 2008 06:00PM

About Yahoo!

Author: SlicK
Email: slick@rstzone.org
Website: http://rstzone.org or http://en.rstzone.org


This article is a result of about 2 weeks of research, tests and lots of hard work and will cover a few aspects related to Yahoo!
that some of you may already know but nonetheless, i find them interesting. The purpose is to shed some light on a few "myths" about
yahoo! and to answer some of the questions related to them.



Part I. "yahoo64" Encoding Algorithm

This Algorithm is used by Yahoo! anywhere there is a need to transform a string of non-printable characters into a printable one.
Its called coding not cripting because it does not offer any protection for the string of characters to be coded. Without going into
to many cryptographic details, we need to mention that yahoo64 is very similar to base64 but its charset is longer(two more chars).
For yahoo64 the charset is: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789._"

yahoo64 has a few characteristics that need to be mentioned:
- all the characters from the coded string are part of the above mentioned charset
- the length of the string is a multiple of 4
- based on the length of the initial string, the end of the cripted string may be "-" or "--"

* Note: for further details, study the 2 php functions (for coding and decoding) at the end of this article




Part II. Analysis of the Yahoo Token

From what i've noticed so far, the Yahoo! token is a sum of the user and password, unique for each username and is changed in part,
every time the password is changed. Basically, owning this token means that you are either the owner of the account (username) or
an entity who has the permission from its owner to act in his/her name on yahoo servers.

The user ca obtain his token by accessing this link:

https://login.yahoo.com/config/pwtoken_get?src=ymsgr&login=USERNAME&passwd=PASSWORD

where USERNAME and PASSWORD are a valid username/password cobination.

This token is useful because it can offer a valid yahoo COOKIE anytime.

https://login.yahoo.com/config/pwtoken_login?src=ymsgr&token=[TOKEN]

An example of response to a request to "https://login.yahoo.com/config/pwtoken_get" can be this:

0
ymsgr=AGG6e0diD9m.3D4YlFPVcdBT1wFXKSBWP0Hl.gyQKd.qec8-
partnerid=KSBWP0Hl.gyQKd.qec8-

"ymsgr" is the token i spoke about earlier and as we can see, "partnerid" is part of this token (at the end). This "partnerid" is
unique for each user and does not change even if you change the password. Its length varies upon the length of the username.

As you can see, the length of the token is 48(multiple of 4) and ends in "-" which shows us that it is coded with yahoo64. After
decoding, we get the following string of characters (where every 2 characters represent the hexadecimal value of a single character
of the decoded token):

00 61 BA 7B 47 62 0F D9 BE DC 3E 18 94 53 D5 71 D0 53 D7 01 57 29 20 56 3F 41 E5 FA 0C 90 29 DF AA 79 CF

All the tokens i've seen so far had the first character "0x00"
The following 4 characters represent the "timestamp" (the number of seconds elapsed since 1-1-1970) when the user was created or
when the password was changed, only that the "timestamp" is reversed. For an instance, in the above given example, the "timestamp"
will be 0x477BBA61(decimal 1199290977) which means "Wed, 2 Jan 2008 16:22:57 GMT"

Decoding "partnerid" we get the following string:

29 20 56 3F 41 E5 FA 0C 90 29 DF AA 79 CF

which, as we can see are the last 14 characters at the end of the token.

If we eliminate the first character (00) from the token, the "timestamp"(61 BA 7B 47) and the decoded "partnerid" we will have only this

62 0F D9 BE DC 3E 18 94 53 D5 71 D0 53 D7 01 57

The resulting string has 16 characters which leads to the conclusion that it is a hash MD5 (md5() produces a 128 bits hash meaning 16
characters between 0x00 and 0xFF. Not to be mistaken for md5_hex() which results a string of 32 characters representing the hexadecimal
values of the 16 characters produced by md5() )

When changing the password, only the "timestamp" is modified and this MD5 hash. This leads me to think that either the timestamp or
the password or both are part of the initial string (that produces the hash).

I need to mention for those that want to run some tests, that this token need to be kept SECRET because, as i said before, revealing
the token can compromise the account. (you dont need to know the password in order to obtain a set of cookies).



Part III. Yahoo! Messenger - "Remember my ID and Password"

Starting with version 7.x.x.x Yahoo! Messnger doesn't memorise the password when the "Remember my ID and Password"is checked. Instead,
it retains the token I spoke of earlier since the token is enough for a successful authentication.

The token is cripted and saved at this key in the windows registry:

HKEY_CURRENT_USER\Software\Yahoo\Pager\ETS

The user is also saved(as it is needed for decoding) at this key:

HKEY_CURRENT_USER\Software\Yahoo\Pager\Yahoo! User ID

The analysis i ran on a ETS string is pretty brief: the token is cripted using a key made of "MBCS sucks + USERNAME". The resulting
string is then coded with "yahoo64" and saved in the registry's under the ETS key.

This is an example of an ETS string

R3_oNgAARNmYGcE.D8dcDOwRohZ0PzaYM2fgN6pFI8a8grRcaEq6zfXUNNUVm2MnuufdKTETuB9cKmcaarY0O4dJVHBsUw5gNw--

This is the result afer decoding

47 7F E8 36 00 00 44 D9 98 19 C1 3E 0F C7 5C 0C EC 11 A2 16 74 3F 36 98 33 67 E0 37 AA 45 23 C6 BC 82 B4 5C 68 4A BA CD F5 D4 34 D5 15 9B 63 27 BA E7 DD 29 31 13 B8 1F 5C 2A 67 1A 6A B6 34 3B 87 49 54 70 6C 53 0E 60 37

The only thing i noticed about this strin is that the first 4 characters are the timestamp when this string was created (upon login)




Part IV. YMSGR v15 Authentification

I will assume you are already familiar with Yahoo! Messenger protocol (package forming and parameters)

For compatibility reasons, YMSGR15 accepts also the classical login (with user/password). Yet, more important is the fact that it uses
COOKIE authentication (based on token).

For a successful login Yahoo! Messenger follows these steps:

- If the "Remember my ID & password" tick box is checked, it decrypts the ETS string and obtain a token. If not, it will use the
username and password to make a request at: "https://login.yahoo.com/config/pwtoken_get" to get the token
- Once connected to one of the yahoo servers, it sends a VERIFY package (0x4C)
- If it receives a valid VERIFY reply from the server, it begins the authentication procedure
- Sends an AUTH package (0x57) with the following parameters:
"1" - USERNAME
- Receives a "AUTHRESP" package (0x54) from which it extracts the value of parameter "94" (CHALLANGE)
- Having a valid token of the user, it will make a request to "https://login.yahoo.com/config/pwtoken_login" o obtain the "Y" and "T"
values of the cookie as well as the "crumb" value (CRUMB)
- It creates a string (STRING307) like this: yahoo64(md5(CRUMB+CHALLENGE))
- Then it send an AUTHRESP package (0x54) with parameters:
"277" - parameter Y
"278" - parameter T
"307" - STRING307
"0" - USERNAME
"2" - USRNAME
"2" - "1"
"1" - USERNAME
"244" - a random number (ex. "2097087")
"98" - "us"
"135" - client version (ex. "8.1.0.421")
"148" - "-120"

- If everything is OK the user is authenticated and the server sends the buddy list and other info such as new mails, add buddy
request and so on.



Part V. The analyze and explanation of Yahoo! cookies

Once the user is authenticated by a Yahoo service, he will receive the "Y" and "T" so my analysis was focused on these 2 cookies.
The Y cookie can be configured to expire anytime between 15 mins to 24 hours. The T cookie usually expires when you close your browser
or when you logout form the account. For services with low security such as the "My Yahoo" page, the Y cookie is enough but for the
more impotant ones, mail, calendar, etc. the T cookie is a must. As you probably noticed a Yahoo cookie is made in
pairs "parameters=value". Further on, i will analyze the parameters that form each cookie and i will try to come with an explanation
for their presence and purpose.


The Y cookie:

Example:

Y=v=1&n=9mioklmar8tku&l=glagla/o&p=m2509oh012000000&r=in&lg=en-US&intl=us&np=1

Contains the username, an unique ID and a few demographic informations. Usually this remains unchanged for a user and the only thing
that will be modified is the unique ID(when you change the password) and the demographic informations (when you change the address,
language and so on).

As we can see, it is made of the "v", "n", "l", "p", "r", "l", "g", "intl" and "np" parameters but not all of them are necessary for
a successful identification of a user.

The "n" parameter is an unique internal ID of the user (it is changed only when changing the password) which is compared to an yahoo
internal value on certain requests in order to obtain information or for the automatic expiration of all of the old cookies when
changing the password.

The "l" parameter is the username encoded with a simple algorithm where each character of the user has a correspondent in a different
string as follows:

PLAINTXT=klmnopqrstuvwxyz0123457896abcdefghij._
ENCODED=abcdefghijklmnopqrstuvxyzw0123456789._

Thus, for this cookie the username is "qvkqvk"

The "p" parameter contains personal info of the user: age, gender, date of birth, country, etc.

The rest of the parameters also contain information about language, certain settings, etc.


The T cookie

Example:

T=z=Cr7eHBCxQfHBJkF/Bqb4dnUMzIwBjVPNDQzNDFOME8-&a=QAE&sk=DAAk3Lb2EiyEEM&ks=EAA3i37q0zwFhuCnF6cflaKHg--~A&d=c2wBTkRVM0FUSTRNek0wTXpZNU56Zy0BYQFRQUUBenoBQ3I3ZUhCZ1dBAXRpcAFzNkpUZEM-

Contains timestamps and a symmetrical digital signature. This is changed only when response time from the yahoo server is modified
(regardless of how many cookies are generated in a second, they are identical)

It is made of parameters "z", "a", "sk", "ks", and "d" but to be authenticated by the web services you only need the sk,ks and d
parameters but for Yahoo! Messenger authentication the "z" parameter is mandatory.

The "z" parameter exists for compatibility with older services and it is in close connection with the CRUMB value used for Yahoo!
Messenger authentication, Tis parameter contains two timestamps(in Yahoo format), a random 11 characters string and a yahoo64
enconded string.

The best analogy i can give to explain the Yahoo timestamp is to compare it to the km/mileage gauge on a car. Each character
(from left to right) can be compared with a gear with the values from the charset(yahoo64 charset where "_" is replaced by "/"). When
the first character finishes a complete rotation, through all the positions, the second characters goes goes up one step.This process
continues like this until the 6th character. Since we know that the first character goes up one step per second we can calculate the
timestamp in UNIX format.

The first 6 chars from the "z" paramater are the timestamp when the cookie was created(upon succesfull authentication), the next 6
are the timestamp when the cookie expires(24 hours after the first timestamp). The next 11 characters change randomly and i haven't
explaind their presence yet (althow i presume it has soemting to do with the CRUMB). The remaining charachters left are a yahoo64
encoded string wich decoded looks like this(for the above example).
Where [SEP] is the hexadecimal character 0x06

320[SEP]5O44341N0O

The "a" parameter (it usually has the value "QAE") contains flags for expiration and under-age child protection.

The "sk" parameter represents the session (session key) and is calculated out of the username, unique ID and timestamp as well as of
a string known only by Yahoo! servers (Yahoo shared secret)

The "ks" parameter is (by my observations) a hash of the user's password or another string which replaces the password cause without
its presence would lead to a request to input the password (on Yahoo servers).

If we ignore the first 3 characters which are changing ("DAA") and the last 2 characters which also remains unchanged ("~A") we get
a yahoo64 coded string which most probably represents an MD5 hash (the decoded string has 16 characters) which is most likely generated
by using a shared secret.

The "d" parameter contains the users' session and a few compatibility informations.
This is a yahoo64 coded string. After decoding the "d" value from the given example we wil have the following string:

sl[SEP]NDU3ATI4MzM0MzY5Nzg-[SEP]a[SEP]QAE[SEP]zz[SEP]Cr7eHBgWA[SEP]tip[SEP]s6JTdC

You can notice that this string is also a paired "parameter=value" one.

sl=NDU3ATI4MzM0MzY5Nzg-&a=QAE&zz=Cr7eHBgWA&tip=s6JTdC

The value of the "sl" parameter is also a yahoo64 coded string:

457[SEP]2833436978 (or 457=2833436978)

This is number is unique for each user and does not modify even if you change the password.

The 'a" parameter is the same with one from the "T" cookie.

The "zz" parameter represents the timestamp(in Yahoo format) when the cookie was created(same as the first timestamp from the "z"
parameter) and 3 extra characters.

The "tip" parameter is the same for all Yahoo! users but is changing periodically(i dont know the exact interval).


Thats about it. Congratulations to those who been patient enough to read it through the end.



The yahoo64 encoding algorithm:

/* yahoo64.php */
<?php
//yahoo64 encode/decode functions by SlicK [slick@rstzone.org]

function yahoo64_encode($source)
{
$yahoo64="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789._";
$limit=strlen($source)-(strlen($source)%3);
$dest="";
for($i=0;$i<$limit;$i+=3)
{
$dest.=$yahoo64[ord($source[$i])>>2];
$dest.=$yahoo64[((ord($source[$i])<<4)&0x30) | (ord($source[$i+1])>>4)];
$dest.=$yahoo64[((ord($source[$i+1])<<2)&0x3C) | (ord($source[$i+2])>>6)];
$dest.=$yahoo64[ord($source[$i+2])&0x3F];
}

switch(strlen($source)-$limit)
{
case 1:
{
$dest.=$yahoo64[ord($source[$i])>>2];
$dest.=$yahoo64[(ord($source[$i])<<4)&0x30];
$dest.='--';
} break;

case 2:
{
$dest.=$yahoo64[ord($source[$i])>>2];
$dest.=$yahoo64[((ord($source[$i])<<4)&0x30) | (ord($source[$i+1])>>4)];
$dest.=$yahoo64[((ord($source[$i+1])<<2)&0x3c)];
$dest.='-';
} break;
}
return($dest);
}

function Index($string,$chr)
{
for($i=0;$i<64;$i++) { if($string[$i]==$chr) { return($i); } } return(-1);
}

function yahoo64_decode($source)
{
$yahoo64="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789._";
$len=strlen($source);
if($source[$len-1]=='-') { $plus=2; }
if($source[$len-2]=='-') { $plus=1; }
if($plus>0) { $len-=4; };

$dest="";
for($i=0;$i<$len;$i+=4)
{
$chr1=Index($yahoo64,$source[$i]);
$chr2=Index($yahoo64,$source[$i+1]);
$chr3=Index($yahoo64,$source[$i+2]);
$chr4=Index($yahoo64,$source[$i+3]);
$dest.=chr(($chr1<<2)|($chr2>>4));
$dest.=chr((($chr2&0xF)<<4)|($chr3>>2));
$dest.=chr((($chr3&0x3)<<6)|($chr4&0x3F));
}
switch($plus)
{
case 1:
{
$chr1=Index($yahoo64,$source[$i]);
$chr2=Index($yahoo64,$source[$i+1]);
$dest.=chr(($chr1<<2)|($chr2>>4));
} break;

case 2:
{
$chr1=Index($yahoo64,$source[$i]);
$chr2=Index($yahoo64,$source[$i+1]);
$chr3=Index($yahoo64,$source[$i+2]);
$dest.=chr(($chr1<<2)|($chr2>>4));
$dest.=chr((($chr2&0xF)<<4)|($chr3>>2));
} break;
}
return($dest);
}

//usage example

$string="any string";
print("Original string=$string<br>\n");

$encoded=yahoo64_encode($string);
print("Encoded string=$encoded<br>\n");

$decoded=yahoo64_decode($encoded);
print("Decoded string=$decoded<br>\n");
?>
/* END */

http://www.rstcenter.com - Romanian Security Team
Inchirieri limuzine

Options: ReplyQuote
Re: Yahoo! research
Posted by: sirdarckcat
Date: January 05, 2008 09:26PM

a smaller version of the yahoo64 function:
function yahoo64($string){
     return strtr(base64_encode($string),"+/=","._-");
}

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote


Sorry, only registered users may post in this forum.