AOH :: HP Unsorted W :: BU-1415.HTM

Windows Live Messenger 2009 ActiveX DoS Vulnerability



Windows Live Messenger 2009 ActiveX DoS Vulnerability
Windows Live Messenger 2009 ActiveX DoS Vulnerability



Product:
Windows Live Messenger 2009 (Build 14.0.8089.726)


********************************************************************************
Vulnerability:
ActiveX - Denial of Service


********************************************************************************
Discussion:
Vulnerability is in Activex Control(msgsc.14.0.8089.726.dll) 
Sending a string to ViewProfile() , cause a crash on msnmsgr.exe
*must be signed in Msn Messenger account for triggerin the vulnerability.



********************************************************************************
Vulnerable:
Windows Live Messenger 2009 on Windows Vista
Windows Live Messenger 2009 on Windows 7

Not Vulnerable:
Windows Live Messenger 2009 on Windows XP

Credits:
HACKATTACK IT SECURITY GmbH
Penetration Testing in Deutschland - =D6sterreich - Schweiz
www.hackattack.com 

and

Natal Networks Inc.
Vulnerability Discovery, Penetration Testing, IT Security Consulting
www.natalnetworks.com 


********************************************************************************

Original Advisory
www.hackattack.com 
www.natalnetworks.com 


********************************************************************************
PoC .wsf script:
'works on vista and windows7















About HACKATTACK and Natal Networks
===============HACKATTACK IT SECURITY GmbH is a Penetrationtest and Security Auditing company located in Germany and Austria
More Information about HACKATTACK at
http://www.hackattack.com 

Natal Networks was founded by Hellcode Research Team in 2009.
Main mission of Natal Network is discover and research vulnerabilities.
Providing penetration tests and security auditing services.
More about; www.natalnetworks.com 





The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.