Single RCE Vulnerability affects Yahoo, Microsoft and Orange

Share it:
Today  one of the security researcher have bypass the security of the number of tech firm with a single vulnerability. A researcher named as Ebrahim Hegazy A.K.A Zigoo have discovered a Remote Code Execution vulnerability on one of the domain Yahoo that allows him to hack Yahoo along with Microsoft and Orange.

Ebrahim is on the hunt for security loop holes in yahoo domain and one of the sub-domain allows him to upload .aspx files which leads to hack Microsoft and Orange too.

On the blog post he explained the process as, he had found one admin panel of the yahoo sub-domains which even didn't ask for login credentials and thus allowed unauthorized admin access. You can see the screenshot of the admin panel below...

This admin panel allows him to upload .aspx file on the server by sending a POST request to the URL "http://mx.horoscopo.yahoo.net/ymx/editor/inc/GenerateFile.aspx" with the following post content: "FileName=New_File_Name.aspx&FileContent=File_Content_Here".


For test Ebrahim have uploaded a file called 'zigoo.aspx' with 'zigoo' as content. After the checking he found the below sites on the same server..
#Yahoo:
http://pe.horoscopo.yahoo.net , http://mx.horoscopo.yahoo.net , http://ar.horoscopo.yahoo.net
http://co.horoscopo.yahoo.net , http://cl.horoscopo.yahoo.net , http://espanol.horoscopo.yahoo.net
#Microsoft MSN:
http://astrocentro.latino.msn.com/ , http://astrologia.latino.msn.com/ , http://horoscopo.es.msn.com/
http://horoscopos.prodigy.msn.com
#Orange:
http://astrocentro.mujer.orange.es
 Interesting thing he got on this vulnerability is that the page created in Yahoo domain reflected in other domains also. Ebrahim had explain the reason for this hack as follows,
"It’s A CDN(Content Delivery Network) Service for astrology that cashes the same content to render it for the sub domains of that mentioned vulnerable domains, So all files on one domain will be shown on all other domains on the server."
For the POC researcher have made a video demonstration of the  vulnerability.



Researcher have reported the vulnerability to Yahoo security team, as he had discovered the vulnerability on .net domain of yahoo which is not under the bug bounty program of Yahoo, then also Yahoo team have appreciated his work and rewarded him some bounty. Microsoft have didn't gave any  reward for his report.

This is not the first time that Ebrahim had discovered RCE vulnerability on Yahoo. Earlier, this year he had reported REC vulnerability to Yahoo. 
Share it:

Bug Bounty

Microsoft

Vulnerability

Yahoo

Post A Comment:

0 comments:

Follow by Email