Now that Yahoo! chat rooms are disposed of for us non-Japanese users there've been attempts to bring the rooms back by using their own version of Yahoo! Messenger for Japan. This was my first thought when Yahoo! Inc. ridded us of what we once had available to meet new people and interact in rooms. The Y! Japan servers and Messenger client are
CRITICALLY VULNERABLE to not just YMSG-based Denial of Service attacks but attacks that can compromise your accounts including your e-mail, address books, and the Messenger login and chat service themselves. Yahoo! Japan is a division of Yahoo! Inc. based in the US but it is much smaller and primarily owned by Softbank, their largest shareholder (next to Yahoo! Inc. of the US). The primary investor still is Softbank, and, while a separate division entirely, their Yahoo! Messenger country-specific version itself and chat network are all based off our American version's counterpart. This shouldn't be surprising to some. Yahoo!'s Japanese Messenger and their own chat communications have
always been years behind the United States' version's research and development and due to this they have the exact same security holes in the client software and YMSG chat server software as we still have and once had.
The
once had part is why I'm posting this announcement in the first place. Since the Yahoo! Japanese corporation is
years behind the US development of the Messenger client and chat servers, and they happen to share the same codebase for everything, they are also vulnerable to past exploitation attack vectors such as YMSG-based Denial of Service/DoS attacks (server-side and client-side), and, more importantly, account compromisation attacks. This means that IF you are running Yahoo! Messenger for Japan or a 3rd party chat client to connect and use their chat servers
then you are vulnerable to YEARS FULL OF EXPLOITATION that formerly existed inside the US division's Yahoo! Chat network and Messenger client.
A couple days ago I reported to Y! Japan's security department and their Tier-3 engineers that
Critical security holes exist in both their client and chat servers. I'm in the process of working with some engineers to resolve some issues, one of which I discovered back in the summer of 2010. This one particular critical vulnerability alone was introduced clear back in Yahoo! Messenger 6.0 (YMSGv12 protocol) for us US users, which was since patched after the details to it were released to the US engineers in private while Yahoo! Messenger version 11.0 was the current version (yes, it existed that long and nobody even knew). Again, they are separate divisions and having little to no communication between the two divisions is what has allowed this exploitation to be possible once again. With the US division of Yahoo! there are (and were) many, MANY more user's accounts at stake with this. While Yahoo! Japan may seem small it still is an entire country and with more and more non-Japanese users using their chat rooms these days since they took our [US] geographical servers away for chat rooms. There are 2 known ways to steal a user account's cookies from Y! Japan Messenger (newest build and ALL older versions and builds are affected) and I'm in the process of getting them patched, both of which use the same method I discovered while pen-testing YM back in 2010.
Turning off communication from non-buddies is the only way to attempt to *prevent* this attack from being exploited, however, even this isn't invulnerable unless you have no friends at all on your buddy list (contact list). Even then, past exploits could be used to add the attacker's exploit bot to your list and from there you'll once again be vulnerable. It's a lose-lose situation for anybody using Yahoo!'s Japanese Messenger at the moment. If you care about risking your security and privacy then DO NOT use Yahoo! Messenger for Japan until these vulnerabilities are properly patched! I will personally verify that proper patches are in place, as always, and then release the full details to the exploit (possibly to the Full Disclosure mailing list). I actually more or less did this a year ago (released the details) on a certain Yahoo! chat-related forum but it's since been swept away and only a select few individuals know how to perform this attack. Most people only know partial details from rumors they'd heard back when it was unpatched on the US Yahoo! Chat servers. Or, they only know that one way to do it but that's all it takes.
Exploitation Allows for the Following:
- Stealing your main ID, which could directly be linked to your e-mail address at Yahoo! if you have one set up and most users do
- Stealing 4 account cookies, 3 of which are extremely important in the realm of Yahoo!'s portal sites and services (chat, e-mail, calendar, address book, blogs etc)
- Stealing of IP Addresses and even being able to bypass specific proxies (such as HTTP, HTTPS and more) because virtually any TCP port can be used to connect out to the rogue remote location
- Allows downloading of ANYTHING (any file, regardless of size, type, or content) to your hard disk where malformed PNG images may be possible to exploit on the remote machine as well. This downloaded content is placed in the "C:\Program Files (x86)\Yahoo!\Messenger\Cache\Icon" directory by default and written to an extensionless raw flat file (providing an extension afterwards will allow the file to be ran as-is)
- Pidgin and potentially other LibPurple-based clients are also affected! Pidgin will attempt to write a file to "C:\Users\<username>\AppData\Roaming\.purple\icons" with a .png file extension regardless of size or file content type. Linux, Unix and BSD users are not safe from this exploit either as their IP Addresses can be stolen at the very least. My tests have shown that Pidgin is only vulnerable to your IP being stolen stealthily and to targeted YMSG-specific DoS attacks that can crash the client, however, it may be possible to steal the account cookies in older versions of Pidgin and/or other LibPurple dependent clients
- Exploitation is completely STEALTH, behind the scenes, and can steal thousands of accounts in minutes if cleverly designed to do so (up to 1,000 buddies on each contact list is allowed + chat rooms with no captcha codes in Y! Japan to get in the way = a massive amount of available users to exploit). If all chat rooms are hit and each buddy is hit on the victim's friends lists then this can and will amount to a lot of compromised accounts quickly. You can't fully stop this vulnerability from being exploited within the client itself and an attacker can harvest thousands of accounts very easily. Even with blocking non-friends as a solution, if a buddy is affected and compromised then they're already trusted because they're on your friends list to begin with. As a result you can easily be compromised too (as our former Proof-of-Concepts in private testing has shown)
- Server-side message archive retrieval? Only if they were using what their American division's counterpart is doing today. Luckily, for the Yahoo! Japanese chat servers and Messenger users, they are NOT doing this [yet] (again, they are years behind, but in this case it's a GOOD thing!)
- Denial-of-Service to the target user is possible via forcing a flood of HTTP GET requests to be sent out to download extremely large files and done even in parallel (Gigabytes per file). Attacks that are IP-based directly (D/DoS and penetration attempts) are much more probable and severe however
- Using Yahoo! Japan's HTTP proxy option in it's settings, which looks to IE's network settings, does not fix this issue but it does have one positive effect. This changes the YMSG protocol schema to YMSG/HTTP and prevents the 'ymsgr' cookie from being sent. Unfortunately, this does not help much since the 3 other cookies are still sent which include the main 2 which are all that are needed for e-mail and Messenger logins, the 'Y' & 'T' cookies by name
- Both Pidgin and Yahoo! Messenger for Japan allow for alternate ports for HTTP (HTTPS too in the case of Messenger) to make full exploitation more successful and detection harder if capturing packets during the session. Pidgin eats up as much as 1 Meg of memory per second if forced to download a very large file (1 GB and more were tested)
*Trillian was formerly affected too, as were other 3rd party Yahoo! chat clients that are less popular. However, at the moment, Trillian isn't affected because it only connects to the standard US-based Yahoo! chat servers and doesn't yet support Yahoo!'s Japanese servers (or accounts for Y! Japan). If Cerulean Studios adds in support for Yahoo! Japan servers before this vulnerability is patched (very unlikely) then they'll once again be affected since the last patch was only server-side. Given the critical nature of this hole it's extremely improbable that Cerulean will have a new build of Trillian out with Y! Japanese chat server support before this is properly patched*
Home
Login
Register