OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Curt Wilson (cwsecgeekyahoo.com)
Date: Mon Jan 07 2002 - 00:35:40 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) In-Reply-To: <20020104192111.15122.qmailmail.securityfocus.com>

    This appears to just be a webserver used by Yahoo
    IM to xfer files; check your IM preferences for file xfer
    options (which includes a path to virus scanner
    executable). The default port appears to be port 80 so
    Code Red, Nimda and all usual scans will be hitting
    this baby and showing up in the Yserver.log. There
    could be some options for attack here but I've yet to
    explore them. I tried to manually grab a file using the
    fomat shown in Yserver.log; I sent a file to myself and
    it looks like the file was checked first (Head
    image/jpeg) and then sent. Myname618 is my
    (sanitized) yahoo email address, not sure what the
    1010383053484 is, but acid_test.jpg is the file I sent.
    Could be some options for something other
    than /Messenger as the initial connection string and
    AppID=Messenger. Could be a way to spoof
    usernames here; not sure what the K=lc9lid is in this
    case, needs more analysis when I have more time.

    The HEAD request:

    01/06/102 23:57:42.593 01/06/102 23:57:42.625
            00:00:00.032 192.168.1.2
            Head image/jpeg
            /Messenger.myname618.1010383053484ac
    id_test.jpg 200 0 .jpg
            HEAD /Messenger.myname618.101038305
    3484acid_test.jpg?
    AppID=Messenger&UserID=myname618&K=lc9lid
    HTTP/1.1
    Accept: */*
    User-Agent: Mozilla/4.01 [en] (Win95; I)
    Host: 192.168.1.2
    Content-Length: 0
    Cache-Control: no-cache

    The GET request:

    01/06/102 23:57:42.640 01/06/102 23:57:42.796
            00:00:00.156 192.168.1.2 Get
            image/jpeg
            /Messenger.myname618.1010383053484ac
    id_test.jpg 200 249051 .jpg
            GET /Messenger.myname618.1010383053
    484acid_test.jpg?
    AppID=Messenger&UserID=myname618&K=lc9lid
    HTTP/1.1
    User-Agent: Mozilla/4.01 [en] (Win95; I)
    Host: 192.168.1.2
    Connection: Keep-Alive

    I tried a basic directory traversal, as well as manually
    pasting one of the requests from the logfiles into
    a "telnet localhost 80" and received this:

    HTTP/1.0 550 Failed on redirect
    Server: Y!

    Running Yserver.exe directly brings up a "Component
    Server" window.

    The only intelligble strings I can see from viewing the
    EXE are

     .text
    .rdata
    .data
    .rsrc

    Probably some room for explotation somewhere in
    here, but I don't have time to mess with it. Have fun,
    let me know what you come up with if anything.

    CWsecgeek