Remote Denial of Service Vulnerability Disclosure



Title: Yahoo! Chat Disconnect - Remote DoS Attack

Discovered By: Torseq Tech.
alert

Date: Saturday, June 21, 2008
Services Affected: ALL of Yahoo! Chat
Vendor: Yahoo! Inc.
Proof-of-Concept included: Yes
Fix Available: Server-Side patch implemented on 24-June-2008
Description: A vulnerability exists in Yahoo!'s chat server architecture that allows for chatters to be remotely disconnected via the Yahoo! Mobile login service.

Details:

A vulnerability exists in Yahoo!'s chat server architecture that allows for chatters to be remotely disconnected via the Yahoo! Mobile login service. In order to exploit this vulnerability you will need only a web browser and a text editor. Open up a text editor and type out exactly 15,334 characters (copy and paste and keep track of course). After this is done surf to http://mm.yahoo.com and log in with a 'bot' (bot meaning the attacking ID which can be any Yahoo! name). From here click the link that is labeled "Add Friend" OR "Send Message". In the Yahoo! ID: field specify a victim/target and where the Message: field is copy and paste all 15,334 characters into this field. Now send this payload and the target that you specified will be disconnected instantly. If exploiting through "Add Friend" it is especially annoying as it not only disconnects you but it also keeps you signed out until this vulnerability is fixed. The reason why this happens is because Yahoo! has a bug where the chat server will continue to send you Add Buddy requests repeatedly even after you've approved or denied them. This means that each and every time you sign in you will be disconnected immediately if hit by this exploit. This is the particularly nasty exploit of the two (the other being a mobile private message).

Impact:

Locked out Yahoo! Messenger accounts and severe interruption of chat service.

Fix (temporary solution):

If locked out - Log in to Yahoo! Mobile at http://mm.yahoo.com and sign in with the affected ID. From here go to the notifications link (where pending add friend requests are waiting) and then "Deny" the add friend request. After this is done then sign back into Yahoo! Messenger with the ID and see if you can get back in. If you can't you'll have to wait until this vulnerability is patched by Yahoo! Inc.