Advisories
"Yahoo! Mail" Account Filter Overflow Hijack
Release Date:
April 19, 2004
Date Reported:
March 10, 2004
Patch Development Time (In Days):
Severity:
High
Vendor:
Yahoo!
Overview:
"Yahoo! Mail" is one of the Internet's most popular web based email solutions. They provide free email and large capacity storage, as well as subscription-based services such as mail forwarding, expanded storage and personalized email addresses.
eEye Digital Security has discovered a security hole in "Yahoo! Mail" which allows a remote attacker to take over an account remotely by sending a specially crafted email.
Technical Details:
Technical Description:
-----------EXAMPLE EMAIL---------
start script
//run whatever code here, say, spoof the Yahoo security login
//window and send the user's cookie silently to a remote address
//for good measure...
//while we are at it, let's email everyone in their address
//book a trojan from them...
//and the user won't know a thing
...
end script
[->a bunch of chars here [spaces are most stealth], the whole
file size will be just about 100KB]
[this causes the filter to not work... the code is then run
automatically]
---------------------------------
The pseudo-diagram above explains the scenario rather well. For whatever reason Yahoo's email filter simply does not work on files which exceed a certain range. This kind of software issue is relatively common.
A remarkable note about this bug is that no one seems to have found it before.
As far as anyone knows.
Drew's Happy-Happy Quote for the Day:
Ben Franklin, "Three can keep a secret if two are dead."
Protection:
Yahoo! Mail is a hosted, web based service, hence users do not need to patch.
Vendor Status:
Yahoo! has been notified and has rectified the issue.
Credit:
Drew Copley, eEye Digital Security, Research Engineer
thanks to "http-equiv" for additional research
Related Links:
Retina Network Security Scanner - Free 15 Day Trial http://www.eeye.com/html/Products/Retina/download.html
Greetings:
To all of you out there that don't use turn signals.
Sooner or later your time is going to come. And a special greeting to all of these competitors of ours making some extra cash by selling pre-fix vulnerabilities through pay for play "mailing lists". I am sure North Korea, the Yakuza, the "Triads", the Russian Mafiya, La Costa Nostra, and every other criminal state or organization appreciates your type of "Partial Full Disclosure for a Darn Good Price" motto.
Copyright (c) 1998-2008 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
April 19, 2004
Date Reported:
March 10, 2004
Patch Development Time (In Days):
 |
|
|
|
| 40 |
Severity:
High
Vendor:
Yahoo!
Overview:
"Yahoo! Mail" is one of the Internet's most popular web based email solutions. They provide free email and large capacity storage, as well as subscription-based services such as mail forwarding, expanded storage and personalized email addresses.
eEye Digital Security has discovered a security hole in "Yahoo! Mail" which allows a remote attacker to take over an account remotely by sending a specially crafted email.
Technical Details:
Technical Description:
-----------EXAMPLE EMAIL---------
start script
//run whatever code here, say, spoof the Yahoo security login
//window and send the user's cookie silently to a remote address
//for good measure...
//while we are at it, let's email everyone in their address
//book a trojan from them...
//and the user won't know a thing
...
end script
[->a bunch of chars here [spaces are most stealth], the whole
file size will be just about 100KB]
[this causes the filter to not work... the code is then run
automatically]
---------------------------------
The pseudo-diagram above explains the scenario rather well. For whatever reason Yahoo's email filter simply does not work on files which exceed a certain range. This kind of software issue is relatively common.
A remarkable note about this bug is that no one seems to have found it before.
As far as anyone knows.
Drew's Happy-Happy Quote for the Day:
Ben Franklin, "Three can keep a secret if two are dead."
Protection:
Yahoo! Mail is a hosted, web based service, hence users do not need to patch.
Vendor Status:
Yahoo! has been notified and has rectified the issue.
Credit:
Drew Copley, eEye Digital Security, Research Engineer
thanks to "http-equiv" for additional research
Related Links:
Retina Network Security Scanner - Free 15 Day Trial http://www.eeye.com/html/Products/Retina/download.html
Greetings:
To all of you out there that don't use turn signals.
Sooner or later your time is going to come. And a special greeting to all of these competitors of ours making some extra cash by selling pre-fix vulnerabilities through pay for play "mailing lists". I am sure North Korea, the Yakuza, the "Triads", the Russian Mafiya, La Costa Nostra, and every other criminal state or organization appreciates your type of "Partial Full Disclosure for a Darn Good Price" motto.
Copyright (c) 1998-2008 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
