On June 6, 2007 eEye (http://research.eeye.com/html/advisories/upcoming/20070605.html) security published a report stating the Yahoo! Messenger was susceptible to a buffer overflow.  The next day a Yahoo! spokesperson let it slip that the problem was in the webcam ActiveX control that allows a user to display his webcam on a webpage.  Shortly after that exploit code was published on the Full Disclosure mailing list (http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/).  There are actually two different components that can be exploited, ywcupl.dll (Webcam Upload) and Ywcvwr.dll (Webcam Download).

What to expect

Here you can test to see if you are vulnerable to this particular exploit.  Be warned that this may cause the following:

• Crash of web browser
• System becomes unstable
• Antivirus screaming bloody murder

If you are vulnerable then your web browser should crash.  I have found that it is more likely to happen in IE than Firefox.

Ywcvwr.dll Runs Calc.exe

This was the first proof of concept.  It uses a fairly standard payload that starts the Windows calculator.

ywcupl.dll Runs Freecell.exe

The second proof of concept is certainly much more nasty.  It will download a program from anywhere on the Internet and then run that program.  In my example I download Free.exe and then run it.  Free.exe simply opens a new process for the Free Cell Windows game.  Free.exe is written in VB.NET so you will have to have the .NET Framework to run it.  Certainly you could use your imagination and see that this is the ultimate exploit.

References

• http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/063875.html
• http://www.informationweek.com/news/showArticle.jhtml?articleID=199901856
• http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9023945&intsrc=news_ts_head
• http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/063846.html
• http://www.securityfocus.com/archive/1/470861
• http://blogs.zdnet.com/security/?p=274