Advertisements

 Paper: In-Depth Analysis of Yahoo! Authentication Schemes

Written by SlicK, RSTZone.org

Sunday, 6 January 2008

Author: SlicK
Email: slick@rstzone.org
Website: http://rstzone.org or http://en.rstzone.org


This article is a result of about 2 weeks of research, tests and lots of hard work and will cover a few aspects related to Yahoo! that some of you may already know but nonetheless, i find them interesting. The purpose is to shed some light on a few "myths" about yahoo! and to answer some of the questions related to them.

Part I. "yahoo64" Encoding Algorithm

Part II. Analysis of the Yahoo Token
Part III. Yahoo! Messenger - "Remember my ID and Password"
Part IV. YMSGR v15 Authentication
Part V. The analysis and explanation of Yahoo! cookies


Part I. "yahoo64" Encoding Algorithm


This Algorithm is used by Yahoo! anywhere there is a need to transform a string of non-printable characters into a printable one.
Its called coding not crypting because it does not offer any protection for the string of characters to be coded. Without going into to many cryptographic details, we need to mention that yahoo64 is very similar to base64 but its charset is longer(two more chars).
For yahoo64 the charset is: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789._"

yahoo64 has a few characteristics that need to be mentioned:
- all the characters from the coded string are part of the above mentioned charset
- the length of the string is a multiple of 4
- based on the length of the initial string, the end of the crypted string may be "-" or "--"

* Note: for further details, study the 2 php functions (for coding and decoding) at the end of this article




Part II. Analysis of the Yahoo Token


From what i've noticed so far, the Yahoo! token is a sum of the user and password, unique for each username and is changed in part, every time the password is changed. Basically, owning this token means that you are either the owner of the account (username) or an entity who has the permission from its owner to act in his/her name on yahoo servers.

The user ca obtain his token by accessing this link:

Code:

https://login.yahoo.com/config/pwtoken_get?src=ymsgr&login=USERNAME&passwd=PASSWORD


where USERNAME and PASSWORD are a valid username/password combination.

This token is useful because it can offer a valid yahoo COOKIE anytime.

Code:

https://login.yahoo.com/config/pwtoken_login?src=ymsgr&token=[TOKEN]


An example of response to a request to "https://login.yahoo.com/config/pwtoken_get" can be this:

Code:

0
ymsgr=AGG6e0diD9m.3D4YlFPVcdBT1wFXKSBWP0Hl.gyQKd.qec8-
partnerid=KSBWP0Hl.gyQKd.qec8-


"ymsgr" is the token i spoke about earlier and as we can see, "partnerid" is part of this token (at the end). This "partnerid" is unique for each user and does not change even if you change the password. Its length varies upon the length of the username.

As you can see, the length of the token is 48(multiple of 4) and ends in "-" which shows us that it is coded with yahoo64. After decoding, we get the following string of characters (where every 2 characters represent the hexadecimal value of a single character of the decoded token):

Code:

00 61 BA 7B 47 62 0F D9 BE DC 3E 18 94 53 D5 71 D0 53 D7 01 57 29 20 56 3F 41 E5 FA 0C 90 29 DF AA 79 CF


All the tokens i've seen so far had the first character "0x00"
The following 4 characters represent the "timestamp" (the number of seconds elapsed since 1-1-1970) when the user was created or when the password was changed, only that the "timestamp" is reversed. For an instance, in the above given example, the "timestamp" will be 0x477BBA61(decimal 1199290977) which means "Wed, 2 Jan 2008 16:22:57 GMT"

Decoding "partnerid" we get the following string:

Code:

29 20 56 3F 41 E5 FA 0C 90 29 DF AA 79 CF


which, as we can see are the last 14 characters at the end of the token.

If we eliminate the first character (00) from the token, the "timestamp"(61 BA 7B 47) and the decoded "partnerid" we will have only this

Code:

62 0F D9 BE DC 3E 18 94 53 D5 71 D0 53 D7 01 57


The resulting string has 16 characters which leads to the conclusion that it is a hash MD5 (md5() produces a 128 bits hash meaning 16 characters between 0x00 and 0xFF. Not to be mistaken for md5_hex() which results a string of 32 characters representing the hexadecimal values of the 16 characters produced by md5() )

When changing the password, only the "timestamp" is modified and this MD5 hash. This leads me to think that either the timestamp or the password or both are part of the initial string (that produces the hash).

I need to mention for those that want to run some tests, that this token need to be kept SECRET because, as i said before, revealing the token can compromise the account. (you dont need to know the password in order to obtain a set of cookies).



Part III. Yahoo! Messenger - "Remember my ID and Password"


Starting with version 7.x.x.x Yahoo! Messenger doesn't memorize the password when the "Remember my ID and Password"is checked. Instead, it retains the token I spoke of earlier since the token is enough for a successful authentication.

The token is crypted and saved at this key in the windows registry:

Code:

HKEY_CURRENT_USER\Software\Yahoo\Pager\ETS


The user is also saved(as it is needed for decoding) at this key:

Code:

HKEY_CURRENT_USER\Software\Yahoo\Pager\Yahoo! User ID


The analysis i ran on a ETS string is pretty brief: the token is crypted using a key made of "MBCS sucks + USERNAME". The resulting string is then coded with "yahoo64" and saved in the registry's under the ETS key.

This is an example of an ETS string

Code:

R3_oNgAARNmYGcE.D8dcDOwRohZ0PzaYM2fgN6pFI8a8grRcaEq6zfXUNNUVm2MnuufdKTETuB9cKmcaarY0O4dJVHBsUw5gNw--


This is the result after decoding:

Code:

47 7F E8 36 00 00 44 D9 98 19 C1 3E 0F C7 5C 0C EC 11 A2 16 74 3F 36 98 33 67 E0 37 AA 45 23 C6 BC 82 B4 5C 68 4A BA CD F5 D4 34 D5 15 9B 63 27 BA E7 DD 29 31 13 B8 1F 5C 2A 67 1A 6A B6 34 3B 87 49 54 70 6C 53 0E 60 37


The only thing i noticed about this string is that the first 4 characters are the timestamp when this string was created (upon login)




Part IV. YMSGR v15 Authentication


I will assume you are already familiar with Yahoo! Messenger protocol (package forming and parameters)

For compatibility reasons, YMSGR15 accepts also the classical login (with user/password). Yet, more important is the fact that it uses
COOKIE authentication (based on token).

For a successful login Yahoo! Messenger follows these steps:

- If the "Remember my ID & password" tick box is checked, it decrypts the ETS string and obtain a token. If not, it will use the
username and password to make a request at: "https://login.yahoo.com/config/pwtoken_get" to get the token
- Once connected to one of the yahoo servers, it sends a VERIFY package (0x4C)
- If it receives a valid VERIFY reply from the server, it begins the authentication procedure
- Sends an AUTH package (0x57) with the following parameters:
"1" - USERNAME
- Receives a "AUTHRESP" package (0x54) from which it extracts the value of parameter "94" (CHALLANGE)
- Having a valid token of the user, it will make a request to "https://login.yahoo.com/config/pwtoken_login" o obtain the "Y" and "T"
values of the cookie as well as the "crumb" value (CRUMB)
- It creates a string (STRING307) like this: yahoo64(md5(CRUMB+CHALLENGE))
- Then it send an AUTHRESP package (0x54) with parameters:
"277" - parameter Y
"278" - parameter T
"307" - STRING307
"0" - USERNAME
"2" - USRNAME
"2" - "1"
"1" - USERNAME
"244" - a random number (ex. "2097087")
"98" - "us"
"135" - client version (ex. "8.1.0.421")
"148" - "-120"

- If everything is OK the user is authenticated and the server sends the buddy list and other info such as new mails, add buddy
request and so on.



Part V. The analysis and explanation of Yahoo! cookies

Once the user is authenticated by a Yahoo service, he will receive the "Y" and "T" so my analysis was focused on these 2 cookies.
The Y cookie can be configured to expire anytime between 15 mins to 24 hours. The T cookie usually expires when you close your browser or when you logout form the account. For services with low security such as the "My Yahoo" page, the Y cookie is enough but for the more important ones, mail, calendar, etc. the T cookie is a must. As you probably noticed a Yahoo cookie is made in pairs "parameters=value". Further on, i will analyze the parameters that form each cookie and i will try to come with an explanation for their presence and purpose.


The Y cookie:

Example:

Code:

Y=v=1&n=9mioklmar8tku&l=glagla/o&p=m2509oh012000000&r=in&lg=en-US&intl=us&np=1


Contains the username, an unique ID and a few demographic informations. Usually this remains unchanged for a user and the only thing that will be modified is the unique ID(when you change the password) and the demographic informations (when you change the address, language and so on).

As we can see, it is made of the "v", "n", "l", "p", "r", "l", "g", "intl" and "np" parameters but not all of them are necessary for a successful identification of a user.

The "n" parameter is an unique internal ID of the user (it is changed only when changing the password) which is compared to an yahoo internal value on certain requests in order to obtain information or for the automatic expiration of all of the old cookies when changing the password.

The "l" parameter is the username encoded with a simple algorithm where each character of the user has a correspondent in a different string as follows:

Code:

PLAINTXT=klmnopqrstuvwxyz0123457896abcdefghij._
ENCODED=abcdefghijklmnopqrstuvxyzw0123456789._


Thus, for this cookie the username is "qvkqvk"

The "p" parameter contains personal info of the user: age, gender, date of birth, country, etc.

The rest of the parameters also contain information about language, certain settings, etc.


The T cookie

Example:

Code:

T=z=Cr7eHBCxQfHBJkF/Bqb4dnUMzIwBjVPNDQzNDFOME8-&a=QAE&sk=DAAk3Lb2EiyEEM&ks=EAA3i37q0zwFhuCnF6cflaKHg--
~A&d=c2wBTkRVM0FUSTRNek0wTXpZNU56Zy0BYQFRQUUBenoBQ3I3ZUhCZ1dBAXRpcAFzNkpUZEM-


Contains timestamps and a symmetrical digital signature. This is changed only when response time from the yahoo server is modified (regardless of how many cookies are generated in a second, they are identical)

It is made of parameters "z", "a", "sk", "ks", and "d" but to be authenticated by the web services you only need the sk,ks and d parameters but for Yahoo! Messenger authentication the "z" parameter is mandatory.

The "z" parameter exists for compatibility with older services and it is in close connection with the CRUMB value used for Yahoo! Messenger authentication, Tis parameter contains two timestamps(in Yahoo format), a random 11 characters string and a yahoo64 encoded string.

The best analogy i can give to explain the Yahoo timestamp is to compare it to the km/mileage gauge on a car. Each character (from left to right) can be compared with a gear with the values from the charset(yahoo64 charset where "_" is replaced by "/"). When the first character finishes a complete rotation, through all the positions, the second characters goes goes up one step.This process continues like this until the 6th character. Since we know that the first character goes up one step per second we can calculate the timestamp in UNIX format.

The first 6 chars from the "z" parameter are the timestamp when the cookie was created(upon successful authentication), the next 6 are the timestamp when the cookie expires(24 hours after the first timestamp). The next 11 characters change randomly and i haven't explained their presence yet (although i presume it has something to do with the CRUMB). The remaining characters left are a yahoo64 encoded string which decoded looks like this(for the above example).
Where [SEP] is the hexadecimal character 0x06

Code:

320[SEP]5O44341N0O


The "a" parameter (it usually has the value "QAE") contains flags for expiration and under-age child protection.

The "sk" parameter represents the session (session key) and is calculated out of the username, unique ID and timestamp as well as of a string known only by Yahoo! servers (Yahoo shared secret)

The "ks" parameter is (by my observations) a hash of the user's password or another string which replaces the password cause without its presence would lead to a request to input the password (on Yahoo servers).

If we ignore the first 3 characters which are changing ("DAA") and the last 2 characters which also remains unchanged ("~A") we get a yahoo64 coded string which most probably represents an MD5 hash (the decoded string has 16 characters) which is most likely generated by using a shared secret.

The "d" parameter contains the users' session and a few compatibility informations.
This is a yahoo64 coded string. After decoding the "d" value from the given example we will have the following string:

Code:

sl[SEP]NDU3ATI4MzM0MzY5Nzg-[SEP]a[SEP]QAE[SEP]zz[SEP]Cr7eHBgWA[SEP]tip[SEP]s6JTdC


You can notice that this string is also a paired "parameter=value" one.

Code:

sl=NDU3ATI4MzM0MzY5Nzg-&a=QAE&zz=Cr7eHBgWA&tip=s6JTdC


The value of the "sl" parameter is also a yahoo64 coded string:

Code:

457[SEP]2833436978 (or 457=2833436978) 


This is number is unique for each user and does not modify even if you change the password.

The 'a" parameter is the same with one from the "T" cookie.

The "zz" parameter represents the timestamp(in Yahoo format) when the cookie was created(same as the first timestamp from the "z" parameter) and 3 extra characters.

The "tip" parameter is the same for all Yahoo! users but is changing periodically(i don't know the exact interval).


Thats about it. Congratulations to those who been patient enough to read it through the end.


The yahoo64 algorithm
Code:

<?php
//yahoo64 encode/decode functions by SlicK [slick@rstzone.org]

function yahoo64_encode($source)
{
  $yahoo64="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789._";
  $limit=strlen($source)-(strlen($source)%3);
  $dest="";
  for($i=0;$i<$limit;$i+=3)
  {
    $dest.=$yahoo64[ord($source[$i])>>2];
    $dest.=$yahoo64[((ord($source[$i])<<4)&0x30) | (ord($source[$i+1])>>4)];
    $dest.=$yahoo64[((ord($source[$i+1])<<2)&0x3C) | (ord($source[$i+2])>>6)];
    $dest.=$yahoo64[ord($source[$i+2])&0x3F];
  }

  switch(strlen($source)-$limit)
  {
    case 1:
    {
      $dest.=$yahoo64[ord($source[$i])>>2];
      $dest.=$yahoo64[(ord($source[$i])<<4)&0x30];
      $dest.='--';
    } break;

    case 2:
    {
      $dest.=$yahoo64[ord($source[$i])>>2];
      $dest.=$yahoo64[((ord($source[$i])<<4)&0x30) | (ord($source[$i+1])>>4)];
      $dest.=$yahoo64[((ord($source[$i+1])<<2)&0x3c)];
      $dest.='-';
    } break;
  }
  return($dest);
}

function Index($string,$chr)
{
  for($i=0;$i<64;$i++) { if($string[$i]==$chr) { return($i); } } return(-1);
}

function yahoo64_decode($source)
{
  $yahoo64="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789._";
  $len=strlen($source);
  if($source[$len-1]=='-') { $plus=2; }
  if($source[$len-2]=='-') { $plus=1; }
  if($plus>0) { $len-=4; };

  $dest="";
  for($i=0;$i<$len;$i+=4)
  {
    $chr1=Index($yahoo64,$source[$i]);
    $chr2=Index($yahoo64,$source[$i+1]);
    $chr3=Index($yahoo64,$source[$i+2]);
    $chr4=Index($yahoo64,$source[$i+3]);
    $dest.=chr(($chr1<<2)|($chr2>>4));
    $dest.=chr((($chr2&0xF)<<4)|($chr3>>2));
    $dest.=chr((($chr3&0x3)<<6)|($chr4&0x3F));
  }
  switch($plus)
  {
    case 1:
    {
      $chr1=Index($yahoo64,$source[$i]);
      $chr2=Index($yahoo64,$source[$i+1]);
      $dest.=chr(($chr1<<2)|($chr2>>4));
    } break;
   
    case 2:
    {
      $chr1=Index($yahoo64,$source[$i]);
      $chr2=Index($yahoo64,$source[$i+1]);
      $chr3=Index($yahoo64,$source[$i+2]);
      $dest.=chr(($chr1<<2)|($chr2>>4));
      $dest.=chr((($chr2&0xF)<<4)|($chr3>>2));
    } break;
  }
  return($dest);
}

//usage example

$string="any string";
print("Original string=$string<br>\n");

$encoded=yahoo64_encode($string);
print("Encoded string=$encoded<br>\n");

$decoded=yahoo64_decode($encoded);
print("Decoded string=$decoded<br>\n");
?>



Share this content:
        
Advertisements
Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.