Yahoo! Messenger emoticons.xml Multiple Key Value Handling Local Buffer Overflow

ADVISORY INFORMATION

• Product: Yahoo! Messenger
• Vendor URL: https://www.yahoo.com
• Type: Stack-based Buffer Overflow [CWE-121]
• Date found: 2014-05-02
• Date published: 2015-09-03
• CVSSv3 Score: 4,8 (AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L)
• CVE: CVE-2014-7216

CREDITS

This vulnerability was discovered and researched by Julien Ahrens from RCE Security.

VERSIONS AFFECTED

Yahoo! Messenger v11.5.0.228 (latest) Yahoo! Messenger v10.0.0.2009 older versions may be affected too.

INTRODUCTION

Yahoo Messenger is the premier instant messaging (IM) platform, used on a wide variety of desktop and mobile clients. Millions of users throughout the world depend on Yahoo Instant Messenger to manage their social contacts, group lists, and presence information; hold real-time instant communications; and perform data transfer to and from contacts throughout the world. All instantly.

(from the vendor’s homepage)

VULNERABILITY DETAILS

Multiple buffer overflow vulnerabilities have been identified in Yahoo! Messenger v11.5.0.228 and prior.

The application loads the content of the file emoticons.xml from two different directories %PROGRAMFILES(x86)%\Yahoo!\Messenger\Cache and %PROGRAMFILES(x86)%\Yahoo!\Messenger\Media\Smileys when a user logins to determine the available emoticons and their associated shortcuts, which can be used in the chat window. But the application does not properly validate the length of the string of the “shortcut” and “title” key values before passing them as an argument to different lstrcpyW calls.

This leads to a stack-based buffer overflow condition, resulting in possible code execution. An attacker needs to trick the victim to copy an arbitrary emoticons package to the application directory in order to exploit the vulnerability. Successful exploits can allow attackers to execute arbitrary code with the privileges of the user running the application. Failed exploits will result in a denial-of-service condition.

PROOF-OF-CONCEPT (VULNERABLE CODE PARTS)

YahooMessenger.exe:

title value:

0051D2C1  PUSH DWORD PTR DS:[EAX]                ; /String2
0051D2C3  LEA EAX,DWORD PTR SS:[EBP]             ; |
0051D2C6  PUSH EAX                               ; |String1

0051D2C7 CALL DWORD PTR DS:[<&KERNEL32.lstrcpyW>; \lstrcpyW

shortcut value:

0051D326  PUSH DWORD PTR DS:[ESI+4]               ; /String2
0051D329  LEA EAX,DWORD PTR SS:[EBP]              ; |
0051D32C  PUSH EAX                                ; |String1

0051D32D CALL DWORD PTR DS:[<&KERNEL32.lstrcpyW»; \lstrcpyW

SOLUTION

None. Won’t be fixed.

REPORT TIMELINE

• 2014-05-02: Discovery of the vulnerability
• 2014-05-03: Reported via Yahoo! Bug Bounty program (hackerone.com)
• 2014-07-19: Vendor forwards the issue to the dev team
• 2014-08-31: Request for status update due to Yahoo’s 120-day policy
• 2014-09-10: Vendor is still evaluating the issue
• 2014-09-20: Vendor closes the issue as “Won’t fix” due to EOL
• 2014-10-01: MITRE assigns CVE-2014-7216
• 2014-10-05: Request to disclose the bug publicly
• 2015-08-14: Vendor approves the disclosure
• 2015-09-03: Advisory released

REFERENCES

• https://www.rcesecurity.com/2015/09/cve-2014-7216-a-journey-through-yahoos-bug-bounty-program
• https://hackerone.com/reports/10767