Yahoo Remote Command Execution via Admin/Upload Bypassby
Hello Everyone, Recently I was analyzing an XSS vulnerability on one of Yahoo’s Subdomains where I decided to also analyze the HTTP Headers. While doing so I came across the admin login page on (hk.yahoo.net), due to the fact that the search was being posted to search module from the admin panel. Well that’s not the best part!
Once I got to the admin page I thought to myself there’s no way I will get passed this page and someone has probably tried to get pass this before… but wait!I wanna try user/password as admin/admin… cuz I’m funny and I want to try it before I look into other ways to obtain a user (like SQLi). Unfortunately I was able to login to the admin panel with an admin/admin criteria. No SQLi or anything needed! After snooping around for a few minutes, I came across and edit/insert page where I was able to create a new page and insert the needed pictures and information. Since I was able to login with the admin/admin as a login I figured the upload section will possibly allow me to bypass the upload restriction. As a part of my test I decided to create a file with the following name: Shell.php.jpg and I inserted a simple:
and uploaded the file as I monitored the HTTP headers, revised those headers, replayed them, and successfully changed the file name back to shell.php Now here’s where it gets interesting: (And yes, I did use a c99 shell to make everything easier!)As you can see our UID/GID is 2 (daemon). I had read/write/execute permissions in /home which contains few more subdomains and website. Also, Linux kernel is VERY old and is a rootable. Not to mention I was able to read most DIRs and Files but NOT including /etc/shadow).
Here’s the PoC video sent to Yahoo as a part of this research:
Don’t set your username and password the same.
Don’t set your username and password as admin.
And have a better and restricter uploader.
Is it in the scope? We don’t know yet. Should it be? Yes! Why? Because most of the hk.ent.yahoo.com files are loaded and included from the .net domain and/or redirects to it. Also there was more than just one domain I could access via this vulnerability:
2014-02-20 Status was changed to Triaged
Bounty? Nothing yet!
As of 4/14/2014 This post has been viewed (4383) timesby