Drew Copley
22/04/04, 01:55
"Yahoo! Mail" Account Filter Overflow Hijack
Release Date:
April 19, 2004
Date Reported:
March 10, 2004
Severity:
High
Vendor:
Yahoo!
Description:
"Yahoo! Mail" is one of the Internet's most popular=20
web based email solutions. They provide free email and=20
large capacity storage, as well as subscription-based=20
services such as mail forwarding, expanded storage and=20
personalized email addresses.=20
eEye Digital Security has discovered a security hole in=20
"Yahoo! Mail" which allows a remote attacker to take over=20
an account remotely by sending a specially crafted email.
Technical Description:
-----------EXAMPLE EMAIL---------
SCRIPT
[->a bunch of chars here [spaces are most stealth], the whole=20
file size will be just about 100KB]
[this causes the filter to not work... the code is then run=20
automatically]
---------------------------------
The pseudo-diagram above explains the scenario rather well.=20
For whatever reason, Yahoo's email filter simply does not=20
work on files which exceed a certain range. This kind of=20
software issue is relatively common.=20
A remarkable note about this bug is that no one seems to=20
have found it before.=20
As far as anyone knows.
Drew's Happy-Happy Quote for the Day:
Ben Franklin, "Three can keep a secret if two are dead."
Protection:
Yahoo! Mail is a hosted, web based service, hence users=20
do not need to patch. Yahoo has already fixed this bug,=20
therefore all Yahoo accounts are now completely safe from
it.
Vendor Status:
Yahoo! has been notified and has rectified the issue.
Credit:
Drew Copley, eEye Digital Security (dcopley eeye.com), Research Engineer
thanks to "http-equiv" for additional research
Related Links:
Retina Network Security Scanner - Free 15 Day Trial=20
http://www.eeye.com/html/Products/Retina/download.html
Greetings:
To all of you out there that don't use turn signals.=20
Sooner or later your time is going to come. And a special=20
greeting to all of these competitors of ours making some extra=20
cash by selling pre-fix vulnerabilities through pay for play=20
"mailing lists". I am sure North Korea, the Yakuza, the=20
"Triads", the Russian Mafiya, La Costa Nostra, and every=20
other criminal state or organization appreciates your type of=20
"Partial Full Disclosure for a Darn Good Price" motto.
Copyright (c) 1998-2004 eEye Digital Security
Permission is hereby granted for the redistribution of this=20
alert electronically. It is not to be edited in any way without=20
express consent of eEye. If you wish to reprint the whole or=20
any part of this alert in any other medium excluding electronic=20
medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice.=20
Use of this information constitutes acceptance for use in an=20
AS IS condition. There are no warranties, implied or express,=20
with regard to this information. In no event shall the author=20
be liable for any direct or indirect damages whatsoever arising=20
out of or in connection with the use or spread of this information.=20
Any use of this information is at the user's own risk.
Feedback
Please send suggestions, updates, and comments to:
eEye Digital Security
http://www.eEye.com
info@eEye.com
Release Date:
April 19, 2004
Date Reported:
March 10, 2004
Severity:
High
Vendor:
Yahoo!
Description:
"Yahoo! Mail" is one of the Internet's most popular=20
web based email solutions. They provide free email and=20
large capacity storage, as well as subscription-based=20
services such as mail forwarding, expanded storage and=20
personalized email addresses.=20
eEye Digital Security has discovered a security hole in=20
"Yahoo! Mail" which allows a remote attacker to take over=20
an account remotely by sending a specially crafted email.
Technical Description:
-----------EXAMPLE EMAIL---------
SCRIPT
[->a bunch of chars here [spaces are most stealth], the whole=20
file size will be just about 100KB]
[this causes the filter to not work... the code is then run=20
automatically]
---------------------------------
The pseudo-diagram above explains the scenario rather well.=20
For whatever reason, Yahoo's email filter simply does not=20
work on files which exceed a certain range. This kind of=20
software issue is relatively common.=20
A remarkable note about this bug is that no one seems to=20
have found it before.=20
As far as anyone knows.
Drew's Happy-Happy Quote for the Day:
Ben Franklin, "Three can keep a secret if two are dead."
Protection:
Yahoo! Mail is a hosted, web based service, hence users=20
do not need to patch. Yahoo has already fixed this bug,=20
therefore all Yahoo accounts are now completely safe from
it.
Vendor Status:
Yahoo! has been notified and has rectified the issue.
Credit:
Drew Copley, eEye Digital Security (dcopley eeye.com), Research Engineer
thanks to "http-equiv" for additional research
Related Links:
Retina Network Security Scanner - Free 15 Day Trial=20
http://www.eeye.com/html/Products/Retina/download.html
Greetings:
To all of you out there that don't use turn signals.=20
Sooner or later your time is going to come. And a special=20
greeting to all of these competitors of ours making some extra=20
cash by selling pre-fix vulnerabilities through pay for play=20
"mailing lists". I am sure North Korea, the Yakuza, the=20
"Triads", the Russian Mafiya, La Costa Nostra, and every=20
other criminal state or organization appreciates your type of=20
"Partial Full Disclosure for a Darn Good Price" motto.
Copyright (c) 1998-2004 eEye Digital Security
Permission is hereby granted for the redistribution of this=20
alert electronically. It is not to be edited in any way without=20
express consent of eEye. If you wish to reprint the whole or=20
any part of this alert in any other medium excluding electronic=20
medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice.=20
Use of this information constitutes acceptance for use in an=20
AS IS condition. There are no warranties, implied or express,=20
with regard to this information. In no event shall the author=20
be liable for any direct or indirect damages whatsoever arising=20
out of or in connection with the use or spread of this information.=20
Any use of this information is at the user's own risk.
Feedback
Please send suggestions, updates, and comments to:
eEye Digital Security
http://www.eEye.com
info@eEye.com