Yahoo Remote Code Execution on cms.snacktv.de By: Sean Melia I managed to chain a number of bugs together in order to get remote code execution and paid $0 for the impactful ones. Backstory: Yahoo acquired Media Group One (MGO) in December 2014. In January 2016 this acquisition was officially put in scope. MGO acquired SnackTV Media and Vertical Network Media in Spring 2013. (http://mediagroupone.de/en/company/history/)
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
YahooRemoteCodeExecutiononcms.snacktv.deBy:SeanMelia
Imanagedtochainanumberofbugstogetherinordertogetremotecodeexecutionandpaid$0fortheimpactfulones.Backstory:YahooacquiredMediaGroupOne(MGO)inDecember2014.InJanuary2016thisacquisitionwasofficiallyputinscope.
MGOacquiredSnackTVMediaandVerticalNetworkMediainSpring2013.(http://mediagroupone.de/en/company/history/)
SnackTVisrunby(now)Yahooemployees.GuesshowIknowthat.Entities:*.mediagroupone.de*.snacktv.de*.vertical-network.de*.vertical-n.de*.fabalista.cometc.etc.
TheFunStuffLoginpage:
FirstIfoundoutthathttp://cms.snacktv.dehadits.svndirectoryexposed.Thisallowedmetousesvn-extractor.pytodumpallthesourcecode:
FromthereIwasabletofindanunauthenticatedSQLinjection:
Iwasabletocrackoneofthepasswordsquickly,duetoitbeingafour-characterword,andloginwithadministratorprivileges.Thisallowedmetouploada.phpfile
FileUploadRequestandResponse:
The.phpfilethenexecutedmeaningIcoulduploadawebshellandexecutecommandsontheserver
YahooendeduptakingthesiteofflinesevenminutesafterIwasabletoexecutecode.IreportedeveryissueIfoundasIfounditanddidn’tkeepanythingfromthem.Iwasemailingthemtogivethemaheadsupaswell.I’vealwayshadagoodrelationshipwithYahooupuntilthispoint.Theybroughtthesitebackupeitherthenextdayorthedayafterwiththesamepasswordsinplace.IhadunknowinglyleftJTRrunninginatabonmydesktopcrackingtheotherpasswords.
Iloggedinwithanotheradminuserandnoticedtheywereblocking.phpfiles.Iwasabletobypassthisbyuploadingaphpfilewitha.php3extension.Hoorayforblacklists,right?AgainIhadRCEontheserver.Ireportedthisissueagainandwroteupsomeothervulnerabilitiesbeforetheytookthesitedownagain.AtthesametimeIwasalsolookingatothersnacktv.desitesandfoundtwoSSRFs.Ireportedtheseissuesaswellandtheyweremarkedas“notactuallyvalid”.IPv6isvalid!Justsaying.
IwouldliketothankYahooforstringingmealongforthreeweeksaboutthesepayoutsjusttomarkeverythingoutofscopeexceptfortheoneoutofseven.svnreposexposedthatIreportedtothemduringthistimeperiod.
Related Documents
