Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Yahoo! Vulnerabilities - (CSRF and browser dos in webmessenger)
Posted by: nemessis
Date: January 06, 2008 07:11AM

Yahoo! Vulnerabilities (Again) & some tips and tricks

Author: Nemessis[at]RstZone.Org


1. Webmessenger China

- Eternal csrf

http://cn.webmessenger.yahoo.com – an application that looks pretty normal for Yahoo! yet its not realy so. The Chinese version doesnt come any close to the original one: http://webmessenger.yahoo.com.

What is the problem?

User any username to log on to http://cn.webmessenger.yahoo.com.
Use another one for the regular Yahoo! messenger client. Make sure that the user you log with on the regular Yahoo! messenger IS actually in the friends list of the one you are logging in the webmessenger.
Set your status to online and put the following code as your status:
<img src=”” onnerror=”alert(document.cookie)”>

Surprise. The code executes in the browser that you are logged in with the other suer.
Impact: Knowing that it is a csrf the perpetrator can steal your login session or it can input a malevolent code without you knowing it.

2. My Chatroom trick

Did you know that you can make use of Yahoo! services to create your own messaging service?
Go to http://cn.messenger.yahoo.com/webmsgr/code.php.
After logging in you will be given an html code containing a link. What can you do with that link? Simple. Lets take this link for example:
http://cn.webmessenger.yahoo.com/index.php?t=1&to=eWlkPXJvb3QuZmxvb2Q-&sig=63761f8f753f4857bf8a275e46d7b3175cba5585

If you are logged in you can start a conversation with the user that created that link but, if you were not already logged in and tried to access that link, you would get a random nickname and can start a conversation without a problem. Try and see.


3. Webmessenger.yahoo.com

Browser DOS

I tried to apply the same vulnerability I found in the Chinese webmessenger but results came out diffrent.
Though it accepts some statuses that contains html tags, the application that the webmessenger.yahoo.com is based on does not support tags containing <img src=”” bla bla bla>.
The outcome would be the same regardless of the browser you are using. A flash9.ocx error that results in shutting off your browser. Simply put, I is the best booter for the web version of the famous Yahoo! messenger.
Note: The Yahoo! Mail Beta messenger (that one inside of your mailbox) is not vulnerable.


4. Change password trick – interesting but useless

I will explain in short a hypothetical problem.
You know that in order to get to the password changing page you need to first put in your password. Probably those that use to steal cookies know this very well.
In order to get to that page you only need to access this link: https://edit.yahoo.com/config/change_pw?.src=ym (after you logged yourself in to your account). As I was saying, it is interesting but useless as long as you don’t know the passord.


5. Trick – The messenger list (NOT the address book)

Log in to your account (acces this link):
http://i.cn.yahoo.com/invites/picker.html?imp=yim
You will see your meenger list on that page. It is useful also in case you logged in using just a cookie.


6. Trick – link to avatar

To see the avatar of a user, use te following link:
http://img.msg.yahoo.com/avatar.php?yids=TYPETHEUSERNAMEHERE&format=png

To see the avatar created by an user on: http://avatars.yahoo.com use this link:
http://lookup.avatars.yahoo.com/wimages?yid=TYPETHEUSERNAMEHERE &size=medium&type=jpg


7. Csrf – How to activate mail beta using image tag.

Send to someone using Yahoo! mail Classic an html attachment containing:
<img src="http://mrd.mail.yahoo.com/landing">

After he wil see your message his mail will automatically switch to Beta version.

Csrf – How ot dactivate mail beta using an image tag.
Send someone using Yahoo! mail beta an html attachment containing:

<img src=”http://us.f451.mail.yahoo.com/ym/login?ymv=0”>

After he wil see your message his mail will automatically switch to Classic version.

Attention: for Beta version it may be better to manually allow images as that version has the option to block images.



8. Useful links for cookies stealers:

How many times did it happen to you to enter in someone’s email without knowing he runs Beta and you find yourself logged in to his messenger unwilingly?
How can you avoid being automatically logged in to messenger when you enter a Beta mail without necesarly having to switch to mail classic?
Cause the victim can access the mail at any time and notice the change.
The solution is to switch to classic mail just one time. The solution is very simple and it depends on an url. When you put the cookie in the browser make sure NOT to log in directly to mail.yahoo.com. Use link:

http://us.mg1.mail.yahoo.com/ym/login?ymv=0
This will access mail classic without permanently changing the original settings that the owner set. Pretty simple right?

For your perusal, please check also: http://us.mg1.mail.yahoo.com/dc/system_requirements?browser=unsupported


9. Trick – How to login using a simple link

I don’t know what you could use it for but here you have 2 login links:

http://n16.login.scd.yahoo.com/config?login=USERNAME&passwd=PASSWORD
http://edit.india.yahoo.com/config/login?.patner=sbc&passwd=PASSWORD&login=USERNAME&.save=0


10. Yahoo! Wiki – phishing with Yahoo!

Did you know about Yahoo! Wiki? Probably not. Here’s what it was created for:
http://developer.yahoo.net/hackday-wiki/index.cgi?action=revisions&page_name=HomePage&revision_id=22


And here’s another use of it:
http://developer.yahoo.net/hackday-wiki/index.cgi?NemessisRSTZONE

The url spoof term is widely known. Yet, sometimes you don’t even need that.
You can create a personal page on that wiki and introduce any content you like. The beauty of it is that you can cusomize the link used for phishing. For example:
http://developer.yahoo.net/hackday-wiki/index.cgi?NemessisRSTZONE will be created in the istant I will access it. I will click “Edit” and put my own content. For example: I'm a legit Yahoo service. Just send me your password at hacker@yahoo.com)
how many people nowadays would trust a phishing-type message hosted on a yahoo! page? I bellieve a whole lot! This is one of the biggest flaws from one of the largest and attacked companies in the world.

http://www.rstcenter.com - Romanian Security Team
Inchirieri limuzine



Edited 1 time(s). Last edit at 01/06/2008 07:14AM by nemessis.

Options: ReplyQuote
Re: Yahoo! Vulnerabilities - (CSRF and browser dos in webmessenger)
Posted by: riahmatic
Date: February 06, 2008 01:11AM

mm check out revision 107 of their wiki: http://developer.yahoo.net/hackday-wiki/index.cgi?action=revisions&page_name=HomePage&revision_id=107
brokenz

Options: ReplyQuote


Sorry, only registered users may post in this forum.