Yahoo! Messenger 11.5.0.228 Buffer Overflow

<p>* ADVISORY INFORMATION</p><p>-----------------------</p><p>Product: Yahoo! Messenger</p><p>Vendor URL: <a href="http://www.yahoo.com" rel="nofollow">www.yahoo.com</a></p><p>Type: Stack-based Buffer Overflow [CWE-121]</p><p>Date found: 2014-05-02</p><p>Date published: 2015-09-03</p><p>CVSSv3 Score: 4,8 (AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L)</p><p>CVE: CVE-2014-7216</p><p> VERSIONS AFFECTED</p><p>--------------------</p><p>Yahoo! Messenger v11.5.0.228 (latest)</p><p>Yahoo! Messenger v10.0.0.2009</p><p>older versions may be affected too.</p><p>* INTRODUCTION</p><p>---------------</p><p>Yahoo Messenger is the premier instant messaging (IM) platform, used on</p><p>a wide variety of desktop and mobile clients. Millions of users</p><p>throughout the world depend on Yahoo Instant Messenger to manage their</p><p>social contacts, group lists, and presence information; hold real-time</p><p>instant communications; and perform data transfer to and from contacts</p><p>throughout the world. All instantly.</p><p>(from the vendor's homepage)</p><p>* VULNERABILITY DESCRIPTION</p><p>----------------------------</p><p>Multiple buffer overflow vulnerabilities have been identified in Yahoo!</p><p>Messenger v11.5.0.228 and prior.</p><p>The application loads the content of the file emoticons.xml from two</p><p>different directories %PROGRAMFILES(x86)%Yahoo!MessengerCache and</p><p>%PROGRAMFILES(x86)%Yahoo!MessengerMediaSmileys when a user logins to</p><p>determine the available emoticons and their associated shortcuts, which</p><p>can be used in the chat window. But the application does not properly</p><p>validate the length of the string of the "shortcut" and "title" key</p><p>values before passing them as an argument to different lstrcpyW calls.</p><p>This leads to a stack-based buffer overflow condition, resulting in</p><p>possible code execution. An attacker needs to trick the victim to copy</p><p>an arbitrary emoticons package to the application directory in order to</p><p>exploit the vulnerability. Successful exploits can allow attackers to</p><p>execute arbitrary code with the privileges of the user running the</p><p>application. Failed exploits will result in a denial-of-service condition.</p><p>* REPORT TIMELINE</p><p>------------------</p><p>2014-05-02: Discovery of the vulnerability</p><p>2014-05-03: Reported via Yahoo! Bug Bounty program (hackerone.com)</p><p>2014-07-19: Vendor forwards the issue to the dev team</p><p>2014-08-31: Request for status update due to Yahoo's 120-day policy&nbsp;</p><p>2014-09-10: Vendor is still evaluating the issue</p><p>2014-09-20: Vendor closes the issue as "Won't fix" due to EOL&nbsp;</p><p>2014-10-01: MITRE assigns CVE-2014-7216</p><p>2014-10-05: Request to disclose the bug publicly</p><p>2015-08-14: Vendor approves the disclosure</p><p>2015-09-03: Advisory released</p>