YahooRemoteCodeExecutiononcms.snacktv.deBy:SeanMelia

Imanagedtochainanumberofbugstogetherinordertogetremotecodeexecutionandpaid$0fortheimpactfulones.Backstory:YahooacquiredMediaGroupOne(MGO)inDecember2014.InJanuary2016thisacquisitionwasofficiallyputinscope.

MGOacquiredSnackTVMediaandVerticalNetworkMediainSpring2013.(http://mediagroupone.de/en/company/history/)

SnackTVisrunby(now)Yahooemployees.GuesshowIknowthat.Entities:*.mediagroupone.de*.snacktv.de*.vertical-network.de*.vertical-n.de*.fabalista.cometc.etc.

TheFunStuffLoginpage:

FirstIfoundoutthathttp://cms.snacktv.dehadits.svndirectoryexposed.Thisallowedmetousesvn-extractor.pytodumpallthesourcecode:

FromthereIwasabletofindanunauthenticatedSQLinjection:

Iwasabletocrackoneofthepasswordsquickly,duetoitbeingafour-characterword,andloginwithadministratorprivileges.Thisallowedmetouploada.phpfile

FileUploadRequestandResponse:

The.phpfilethenexecutedmeaningIcoulduploadawebshellandexecutecommandsontheserver

YahooendeduptakingthesiteofflinesevenminutesafterIwasabletoexecutecode.IreportedeveryissueIfoundasIfounditanddidn’tkeepanythingfromthem.Iwasemailingthemtogivethemaheadsupaswell.I’vealwayshadagoodrelationshipwithYahooupuntilthispoint.Theybroughtthesitebackupeitherthenextdayorthedayafterwiththesamepasswordsinplace.IhadunknowinglyleftJTRrunninginatabonmydesktopcrackingtheotherpasswords.

Iloggedinwithanotheradminuserandnoticedtheywereblocking.phpfiles.Iwasabletobypassthisbyuploadingaphpfilewitha.php3extension.Hoorayforblacklists,right?AgainIhadRCEontheserver.Ireportedthisissueagainandwroteupsomeothervulnerabilitiesbeforetheytookthesitedownagain.AtthesametimeIwasalsolookingatothersnacktv.desitesandfoundtwoSSRFs.Ireportedtheseissuesaswellandtheyweremarkedas“notactuallyvalid”.IPv6isvalid!Justsaying.

IwouldliketothankYahooforstringingmealongforthreeweeksaboutthesepayoutsjusttomarkeverythingoutofscopeexceptfortheoneoutofseven.svnreposexposedthatIreportedtothemduringthistimeperiod.