Vulnerabilities > CVE-2012-0268 - Numeric Errors vulnerability in Yahoo Messenger

047910
CVSS 5.1 - MEDIUM
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
high complexity
yahoo
CWE-189
nessus
NVD
Published: 2012-01-19
Updated: 2012-01-23

Summary

Integer overflow in the CYImage::LoadJPG method in YImage.dll in Yahoo! Messenger before 11.5.0.155, when photo sharing is enabled, might allow remote attackers to execute arbitrary code via a crafted JPG image that triggers a heap-based buffer overflow.

Vulnerable Configurations

Part Description Count
Application
Yahoo
84

Common Weakness Enumeration (CWE)

Nessus

NASL familyWindows
NASL idYAHOO_MSGR_11_5_0_155.NASL
descriptionThe version of Yahoo! Messenger installed on the remote host is earlier than 11.5.0.155 and is reportedly affected by an integer overflow. The error exists in the method
last seen2020-06-01
modified2020-06-02
plugin id58000
published2012-02-17
reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/58000
titleYahoo! Messenger < 11.5.0.155 CYImage::LoadJPG Method JPG File Handling Remote Integer Overflow
code
#
#  (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(58000);
  script_version("1.4");
  script_cvs_date("Date: 2018/08/07 16:46:51");

  script_cve_id("CVE-2012-0268");
  script_bugtraq_id(51405);
  script_xref(name:"Secunia", value:"47041");

  script_name(english:"Yahoo! Messenger < 11.5.0.155 CYImage::LoadJPG Method JPG File Handling Remote Integer Overflow");
  script_summary(english:"Checks version of Yahoo! Messenger"); 
 
 script_set_attribute(attribute:"synopsis", value:
"The instant messaging application on the remote Windows host is
affected by an integer overflow vulnerability.");
 script_set_attribute(attribute:"description", value:
"The version of Yahoo! Messenger installed on the remote host is
earlier than 11.5.0.155 and is reportedly affected by an integer
overflow.  The error exists in the method 'CYImage::LoadJPG' in the
file 'YImage.dll'. 

A remote attacker could execute arbitrary code by tricking a user into
accepting a crafted JPG image that triggers the overflow. 

Note that the photo sharing functionality is not enabled by
default.");
  script_set_attribute(attribute:"solution", value:"Upgrade to Yahoo! Messenger version 11.5.0.155 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/01/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/01/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/02/17");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:yahoo:messenger");
  script_end_attributes();
 
  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");

  script_dependencies("yahoo_installed.nasl");
  script_require_keys("SMB/Yahoo/Messenger/Version");

  exit(0);
}

include("global_settings.inc");
include('misc_func.inc');

port = get_kb_item("SMB/transport");

version = get_kb_item_or_exit('SMB/Yahoo/Messenger/Version');
install_path = get_kb_item_or_exit('SMB/Yahoo/Messenger/Path');

fixed_ver = '11.5.0.155';

# Ver compare
if (ver_compare(ver:version, fix:fixed_ver) == -1)
{
  if(report_verbosity > 0)
  {
    report = 
      '\n  Path              : ' + install_path +
      '\n  Installed version : ' + version +
      '\n  Fixed version     : ' + fixed_ver +
      '\n';
    security_warning(port:port, extra:report);
  }
  else security_warning(port);
  exit(0);
}
else exit(0, "The Yahoo Messenger "+version+" install in "+install_path+" is not affected.");

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 51405 CVE ID: CVE-2012-0268 Yahoo! Messenger是一款流行的即时通信软件。 Yahoo! Messenger在实现上存在安全漏洞,可被恶意用户利用控制用户系统。 此漏洞源于在分配使用图形尺寸值的内存时,&quot;CYImage::LoadJPG()&quot;方法(YImage.dll)中存在整数溢出漏洞,可通过特制的JPG文件造成堆缓冲区溢出。 0 Yahoo! Messenger 11.x 厂商补丁: Yahoo! ------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://messenger.yahoo.com/
idSSV:30023
last seen2017-11-19
modified2012-01-17
published2012-01-17
reporterRoot
titleYahoo Messenger &quot;.jpg&quot;文件处理缓冲区溢出漏洞

References