Vulnerabilities > CVE-2007-1680 - Unspecified vulnerability in Yahoo Messenger

CVSS 0.0 - NONE

Attack vector

UNKNOWN

Attack complexity

UNKNOWN

Privileges required

UNKNOWN

Confidentiality impact

UNKNOWN

Integrity impact

UNKNOWN

Availability impact

UNKNOWN

yahoo

nessus

NVD

Published: 2007-04-06

Updated: 2024-11-21

Summary

Stack-based buffer overflow in the createAndJoinConference function in the AudioConf ActiveX control (yacscom.dll) in Yahoo! Messenger before 20070313 allows remote attackers to execute arbitrary code via long (1) socksHostname and (2) hostname properties.

Vulnerable Configurations

Part	Description	Count
Application	Yahoo Yahoo Messenger 8.1.0.239 Yahoo Messenger 8.0 Yahoo Messenger 8.0_2005.1.1.4 Yahoo Messenger 8.1.0.209 Yahoo Messenger 8.0.0.863	5

Nessus

NASL family	Windows
NASL id	YAHOO_MSGR_AUDIOCONF_ACTIVEX_BUFFER_OVERFLOW.NASL
description	The remote host contains a version of the
last seen	2020-06-01
modified	2020-06-02
plugin id	24913
published	2007-04-04
reporter	This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/24913
title	Yahoo! Messenger AudioConf ActiveX Control (yacscom.dll) Multiple Property Overflow
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(24913); script_version("1.18"); script_cvs_date("Date: 2018/11/15 20:50:29"); script_cve_id("CVE-2007-1680"); script_bugtraq_id(23291); script_name(english:"Yahoo! Messenger AudioConf ActiveX Control (yacscom.dll) Multiple Property Overflow"); script_summary(english:"Checks version of AudioConf ActiveX control"); script_set_attribute(attribute:"synopsis", value: "The remote Windows host has an ActiveX control that is affected by a buffer vulnerability."); script_set_attribute(attribute:"description", value: "The remote host contains a version of the 'AudioConf' ActiveX control included with Yahoo! Messenger. The version of this ActiveX control on the remote host has a buffer overflow triggered by calling the control's 'createAndJoinConference' method with large values for the 'socksHostname' and 'hostname' properties. If an attacker can trick a user on the affected host into visiting a specially crafted web page, this issue could be leveraged to execute arbitrary code on the host subject to the user's privileges."); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-07-012/"); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/464607/30/0/threaded"); # http://web.archive.org/web/20120925023439/http://messenger.yahoo.com/security/view/20070312/ script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?96afd17a"); script_set_attribute(attribute:"solution", value: "Update to the latest version of Yahoo! Messenger and ensure that the version of the control is at least 1.0.0.48 or higher."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/04/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/04/04"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:yahoo:messenger"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl"); script_require_keys("SMB/Registry/Enumerated"); script_require_ports(139, 445); exit(0); } include("smb_func.inc"); include("audit.inc"); # Connect to the appropriate share. if (!get_kb_item("SMB/Registry/Enumerated")) exit(0); name = kb_smb_name(); port = kb_smb_transport(); login = kb_smb_login(); pass = kb_smb_password(); domain = kb_smb_domain(); if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init'); rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$"); if (rc != 1) { NetUseDel(); exit(0); } # Connect to remote registry. hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE); if (isnull(hklm)) { NetUseDel(); exit(0); } # Check whether it's installed. file = NULL; clsid = '{2B323CD9-50E3-11D3-9466-00A0C9700498}'; key = "SOFTWARE\Classes\CLSID\" + clsid + "\InprocServer32"; key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED); if (!isnull(key_h)) { value = RegQueryValue(handle:key_h, item:NULL); if (!isnull(value)) file = value[1]; RegCloseKey(handle:key_h); } RegCloseKey(handle:hklm); if (isnull(file)) { NetUseDel(); exit(0); } # Determine the version from the control itself. share = ereg_replace(pattern:"^([A-Za-z]):.", replace:"\1$", string:file); dll = ereg_replace(pattern:"^[A-Za-z]:(.)", replace:"\1", string:file); NetUseDel(close:FALSE); rc = NetUseAdd(login:login, password:pass, domain:domain, share:share); if (rc != 1) { NetUseDel(); exit(0); } fh = CreateFile( file:dll, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL, share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING ); ver = NULL; if (!isnull(fh)) { ver = GetFileVersion(handle:fh); CloseFile(handle:fh); } # Check the version number. if (!isnull(ver)) { fix = split("1.0.0.48", sep:'.', keep:FALSE); for (i=0; i<max_index(fix); i++) fix[i] = int(fix[i]); for (i=0; i<max_index(ver); i++) if ((ver[i] < fix[i])) { version = string(ver[0], ".", ver[1], ".", ver[2], ".", ver[3]); report = string( "Version ", version, " of the control is installed as \n", "\n", " ", file, "\n" ); security_hole(port:port, extra: report); break; } else if (ver[i] > fix[i]) break; } # Clean up. NetUseDel();

Saint

bid	23291
description	Yahoo Messenger AudioConf ActiveX control buffer overflow
id	misc_yahoomsgrver
osvdb	34319
title	yahoo_messenger_audioconf
type	client

Summary

Vulnerable Configurations

Nessus

Saint

References