yahoo remote code execution snack - · pdf file · 2016-02-06word , and login...
TRANSCRIPT
YahooRemoteCodeExecutiononcms.snacktv.deBy:SeanMelia
Imanagedtochainanumberofbugstogetherinordertogetremotecodeexecutionandpaid$0fortheimpactfulones.Backstory:YahooacquiredMediaGroupOne(MGO)inDecember2014.InJanuary2016thisacquisitionwasofficiallyputinscope.
MGOacquiredSnackTVMediaandVerticalNetworkMediainSpring2013.(http://mediagroupone.de/en/company/history/)
SnackTVisrunby(now)Yahooemployees.GuesshowIknowthat.Entities:*.mediagroupone.de*.snacktv.de*.vertical-network.de*.vertical-n.de*.fabalista.cometc.etc.
TheFunStuffLoginpage:
FirstIfoundoutthathttp://cms.snacktv.dehadits.svndirectoryexposed.Thisallowedmetousesvn-extractor.pytodumpallthesourcecode:
FromthereIwasabletofindanunauthenticatedSQLinjection:
Iwasabletocrackoneofthepasswordsquickly,duetoitbeingafour-characterword,andloginwithadministratorprivileges.Thisallowedmetouploada.phpfile
FileUploadRequestandResponse:
The.phpfilethenexecutedmeaningIcoulduploadawebshellandexecutecommandsontheserver
YahooendeduptakingthesiteofflinesevenminutesafterIwasabletoexecutecode.IreportedeveryissueIfoundasIfounditanddidn’tkeepanythingfromthem.Iwasemailingthemtogivethemaheadsupaswell.I’vealwayshadagoodrelationshipwithYahooupuntilthispoint.Theybroughtthesitebackupeitherthenextdayorthedayafterwiththesamepasswordsinplace.IhadunknowinglyleftJTRrunninginatabonmydesktopcrackingtheotherpasswords.
Iloggedinwithanotheradminuserandnoticedtheywereblocking.phpfiles.Iwasabletobypassthisbyuploadingaphpfilewitha.php3extension.Hoorayforblacklists,right?AgainIhadRCEontheserver.Ireportedthisissueagainandwroteupsomeothervulnerabilitiesbeforetheytookthesitedownagain.AtthesametimeIwasalsolookingatothersnacktv.desitesandfoundtwoSSRFs.Ireportedtheseissuesaswellandtheyweremarkedas“notactuallyvalid”.IPv6isvalid!Justsaying.
IwouldliketothankYahooforstringingmealongforthreeweeksaboutthesepayoutsjusttomarkeverythingoutofscopeexceptfortheoneoutofseven.svnreposexposedthatIreportedtothemduringthistimeperiod.