[ISN] EEYE: Yahoo! Mail Account Filter Overflow Hijack

Drew Copley dcopley at eeye.com
Wed Apr 21 14:11:17 EDT 2004 

"Yahoo! Mail" Account Filter Overflow Hijack

Release Date:
April 19, 2004

Date Reported:
March 10, 2004

Severity:
High

Vendor:
Yahoo!

Description:
"Yahoo! Mail" is one of the Internet's most popular 
web based email solutions. They provide free email and 
large capacity storage, as well as subscription-based 
services such as mail forwarding, expanded storage and 
personalized email addresses. 

eEye Digital Security has discovered a security hole in 
"Yahoo! Mail" which allows a remote attacker to take over 
an account remotely by sending a specially crafted email.

Technical Description:
-----------EXAMPLE EMAIL---------

SCRIPT
[->a bunch of chars here [spaces are most stealth], the whole 
file size will be just about 100KB]
[this causes the filter to not work... the code is then run 
automatically]


---------------------------------

The pseudo-diagram above explains the scenario rather well. 
For whatever reason, Yahoo's email filter simply does not 
work on files which exceed a certain range. This kind of 
software issue is relatively common. 

A remarkable note about this bug is that no one seems to 
have found it before. 

As far as anyone knows.



Drew's Happy-Happy Quote for the Day:

Ben Franklin, "Three can keep a secret if two are dead."

Protection:
Yahoo! Mail is a hosted, web based service, hence users 
do not need to patch. Yahoo has already fixed this bug, 
therefore all Yahoo accounts are now completely safe from
it.

Vendor Status:
Yahoo! has been notified and has rectified the issue.

Credit:
Drew Copley, eEye Digital Security (dcopley eeye.com), Research Engineer
thanks to "http-equiv" for additional research

Related Links:
Retina Network Security Scanner - Free 15 Day Trial 
http://www.eeye.com/html/Products/Retina/download.html

Greetings:
To all of you out there that don't use turn signals. 
Sooner or later your time is going to come. And a special 
greeting to all of these competitors of ours making some extra 
cash by selling pre-fix vulnerabilities through pay for play 
"mailing lists". I am sure North Korea, the Yakuza, the 
"Triads", the Russian Mafiya, La Costa Nostra, and every 
other criminal state or organization appreciates your type of 
"Partial Full Disclosure for a Darn Good Price" motto.

Copyright (c) 1998-2004 eEye Digital Security
Permission is hereby granted for the redistribution of this 
alert electronically. It is not to be edited in any way without 
express consent of eEye. If you wish to reprint the whole or 
any part of this alert in any other medium excluding electronic 
medium, please email alert at eEye.com for permission.

Disclaimer
The information within this paper may change without notice. 
Use of this information constitutes acceptance for use in an 
AS IS condition. There are no warranties, implied or express, 
with regard to this information. In no event shall the author 
be liable for any direct or indirect damages whatsoever arising 
out of or in connection with the use or spread of this information. 
Any use of this information is at the user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
info at eEye.com

More information about the ISN mailing list