• 
• 
• 
• 
• 
• 

Research Archives > Security Advisories > AD20070608

Yahoo! Webcam ActiveX Controls Multiple Buffer Overflows

Release Date:
6/8/2007 12:00:00 AM

Date Reported:
6/5/2007 12:00:00 AM

Severity:
High

Vendor:
Yahoo!, Inc.

Affected Software:
Yahoo Messenger 8 for Windows

Overview:
eEye Digital Security has discovered two critical vulnerabilities in ywcupl.dll (version 2.0.1.4) and ywcvwr.dll (version 2.0.1.4) included by default in all releases of Yahoo! Messenger 8.x. Ywcupl.dll is Yahoo's Webcam Upload ActiveX Control used by Yahoo! Messenger to stream content from a user's webcam to other users. Ywcvwr.dll is Yahoo! Messenger's Webcam Viewer ActiveX Control used to view any streamed content. These files are normally used only when viewing or streaming webcam content to and from Yahoo Messenger, but they are incorrectly marked safe for scripting and can be instantiated by any website. Furthermore they both fail to perform bounds checking on variables resulting in 2 stack-based buffer overflow conditions that could allow arbitrary code to execute in the context of the logged-in user.

Technical Details:
The code for both vulnerabilities is similar, in which they both call mbscpy on the vulnerable string after allocating only 1023 bytes of space.

03ada506	or	dword ptr [ebp-4],0FFFFFFFFh
03ada50a 	cmp	eax,ebx
03ada50c 	mov	dword ptr [esi+210h],eax  
03ada512 	je	ywcupl+0xa5f4 
03ada518	lea 	ecx,[esi+174h]
						; Loads the payload into ECX
03ada51e 	call	dword ptr [ywcupl!DllUnregisterServer+0x4b44
7c3a44b3 	cmp	dword ptr [ecx+18h],10h
7c3a44b7 	jb	MSVCP71!std::basic_string 

At this point either of the vulnerable ActiveX controls call mbscpy without bounds checking the 'server' string variable. If this variable is excessively large it causes a page boundary access violation upon reaching the bottom of the stack.

After hitting a page boundary the exception handler gets called and attempts to clean up the access violation. Since the stack has been overflowed with a payload, the exception handler loads the payload and calls it in the following code:

7c9037ae 	push 	dword ptr [ebp+14h]
7c9037b1 	push  	dword ptr [ebp+10h]
7c9037b4 	push  	dword ptr [ebp+0Ch]
7c9037b7 	push  	dword ptr [ebp+8]
7c9037ba	mov   	ecx,dword ptr [ebp+18h]
						; ECX loads payload
7c9037bd 	call  	ecx
						; Calls payload

Protection:
Retina Network Security Scanner has been updated to identify this vulnerability.
Blink Endpoint Vulnerability Prevention preemptively protects from this vulnerability.

Vendor Status:
Yahoo! has released a patch for this vulnerability which is available at: http://messenger.yahoo.com/security_update.php?id=060707

Credit:
Greg Linares

Greetings:
Terrell Karlsten, Dre, the Super Soeder Bros, Matt, Laurentiu, Richard D. James, Pikey, Cash, Expanders, Str0ke, William Kurnik, Big Perm, Dooritto, CSam, Shadow Penguin, and Reverse. Best of luck to where ever the winds may take you.

Copyright ©1998-2011 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.