One RCE Vulnerability to Hack Yahoo, Microsoft, Orange.

facebooktwittergoogle_plusredditpinterestlinkedinmail

1337
Hello Everyone :-)

Today I will be talking about a “Unauthorized Admin Access” that led to “Remote Code Injection” on many domains of “Yahoo“, “Microsoft MSN“, And “Orange“.

Excited? Good, Now let’s dive into the details.

During my researches in #Yahoo Bug Bounty Program, I found myself in a Yahoo.net domain:
http://mx.horoscopo.yahoo.net/ymx/
I tried to find the admin panel for that domain name, so I found myself in below page:
http://mx.horoscopo.yahoo.net/ymx/editor/

The thing is, it dosent ask me for any login credentials!

Yes I just found myself in the admin panel without asking for a login credentials, this what is called “Unauthorized Admin Access AKA Indirect Object Reference“.

yahoo-admin

So, You see that list of files on the left side? I had an option to create a new “ASPX” file. I tried to intercept the POST request sent when trying to create a new file, So, here is what I got.

http-request
As you see, it’s a POST request to the below URL with below POST data:
http://mx.horoscopo.yahoo.net/ymx/editor/inc/GenerateFile.aspx
POST: FileName=zigoo.aspx&FileContent=zigoo

Yes, You’ve only to provide the new created file name and whatever content you want to add!!

Lolz
So, I did create a file named “zigoo.aspx” with my name as a content “zigoo”:

RCEOfcourse I could have created that file with a code to give me Remote Command Execution Privilege, but I saw it was a good/enough POC.

Now what?
I tried to check if there is any other Yahoo domains that were affcted by the same vulnerability?
I searched for the same sites hosted on the same server and I found below sites on the same server:

#Yahoo:
http://pe.horoscopo.yahoo.net
http://mx.horoscopo.yahoo.net
http://ar.horoscopo.yahoo.net
http://co.horoscopo.yahoo.net
http://cl.horoscopo.yahoo.net
http://espanol.horoscopo.yahoo.net

#Microsoft MSN:
http://astrocentro.latino.msn.com/
http://astrologia.latino.msn.com/
http://horoscopo.es.msn.com/
http://horoscopos.prodigy.msn.com

#Orange:
http://astrocentro.mujer.orange.es

So, what was the shocking issue here?
The shocking thing here is that I don’t have to upload/create my page on every domain to make a good POC!

Because once I created that page on one of the Yahoo domains mentioned above, I found that my page has been created on ALL SITES hosted on the same server, Yahoo, MSN, Orange and others!

Imagine a Black-Hat with this vulnerability, creating his “Iframed” aspx page with it’s malicious content on such highly ranked/trusted domains of Yahoo.net MSN.com Orange.es and more!!

How did it happen?
I tried to contact Microsoft regarding this question, they said “We will investigate it”

Till they investigate it, below is my expectation:
It’s A CDN(Content Delivery Network) Service for astrology that caches the same content to render it for the sub domains of that mentioned vulnerable domains, So all files on one domain will be shown on all other domains on the server.

Below video shows the POC file that was created on all the above mentioned domains.


What happened after the report?

#Yahoo_Case, Thanks to R.Martinz for speeding up the fix release,
Yahoo does not pay bounties for vulnerabilities found in Yahoo.net, but they decided to reward me for this vulnerability since it’s a Critical Vulnerability that Affects 6 Yahoo domains.
yahoo-response

#MSN_Case, I tried to get any reward from Microsoft for reporting such Critical Vulnerability that affects 4 MSN domains, but as you all know how Microsoft Acts like!! Ofcourse you all could expect what happened here :D

#Orange_Case, It was hard as hell to get in touch with Orange! till I gave up!, But fortunately, the fix that was released by Microsoft has fixed the issue on all the server domains including Orange.

To stay tuned to my latest findings, Keep an eye on my Twitter account, @Zigoo0

This Post was Viewed (16304) times.

8 Comments

  1. Mohammed Gad - May 17, 2014

    مبرووووك :D !!
    انا عمرى ما تخيلت ان فى شركه كبيره ممكن يكون عندها ثغره زى دى xD

  2. Musab Mohamed @th3_pirate - May 17, 2014

    مبرووك يا هيمه استمر ربنا يحفظك ..

  3. One RCE Vulnerability to Hack Yahoo, Microsoft,... - May 17, 2014

    […] Today I will be talking about a “Unauthorized Admin Access” that led to “Remote Code Injection” on many domains of “Yahoo“, “Microsoft MSN“, And “Orange“.  […]

  4. Remote Code Injection Vulnerability Found on Yahoo, Microsoft and Orange Subdomains | HOTforSecurity - May 19, 2014

    […] A Remote code injection vulnerability was found on the subdomains of Yahoo, Microsoft and Orange by being escalated from an Unauthorized Admin Access, according to Ibrahim Hegazy’s blog post. […]

  5. 1337 - May 20, 2014

    lol, and could sell and earn good money

  6. 一个远程代码执行漏洞搞定Yahoo, Microsoft, Orange - FreeBuf.COM - May 20, 2014

    […] 一个埃及黑客通过一个文件上传,拿下了多个大型厂商旗下网站。而且这个哥们说话蛮逗的,很有喜剧效果。英文原文看这里。 […]

  7. Ahmed Mogy - September 27, 2014

    you the man ! :D :D

    keep it on ! ^^

Leave a reply