yahoo remote code execution snack - · pdf file · 2016-02-06word , and login...
TRANSCRIPT
![Page 1: Yahoo Remote Code Execution Snack - · PDF file · 2016-02-06word , and login with ... IPv6 is valid! Just saying. ... Microsoft Word - Yahoo Remote Code Execution Snack.docx](https://reader031.vdocuments.us/reader031/viewer/2022022003/5aa36f9c7f8b9a80378e3abb/html5/thumbnails/1.jpg)
YahooRemoteCodeExecutiononcms.snacktv.deBy:SeanMelia
Imanagedtochainanumberofbugstogetherinordertogetremotecodeexecutionandpaid$0fortheimpactfulones.Backstory:YahooacquiredMediaGroupOne(MGO)inDecember2014.InJanuary2016thisacquisitionwasofficiallyputinscope.
MGOacquiredSnackTVMediaandVerticalNetworkMediainSpring2013.(http://mediagroupone.de/en/company/history/)
![Page 2: Yahoo Remote Code Execution Snack - · PDF file · 2016-02-06word , and login with ... IPv6 is valid! Just saying. ... Microsoft Word - Yahoo Remote Code Execution Snack.docx](https://reader031.vdocuments.us/reader031/viewer/2022022003/5aa36f9c7f8b9a80378e3abb/html5/thumbnails/2.jpg)
SnackTVisrunby(now)Yahooemployees.GuesshowIknowthat.Entities:*.mediagroupone.de*.snacktv.de*.vertical-network.de*.vertical-n.de*.fabalista.cometc.etc.
TheFunStuffLoginpage:
FirstIfoundoutthathttp://cms.snacktv.dehadits.svndirectoryexposed.Thisallowedmetousesvn-extractor.pytodumpallthesourcecode:
![Page 3: Yahoo Remote Code Execution Snack - · PDF file · 2016-02-06word , and login with ... IPv6 is valid! Just saying. ... Microsoft Word - Yahoo Remote Code Execution Snack.docx](https://reader031.vdocuments.us/reader031/viewer/2022022003/5aa36f9c7f8b9a80378e3abb/html5/thumbnails/3.jpg)
FromthereIwasabletofindanunauthenticatedSQLinjection:
![Page 4: Yahoo Remote Code Execution Snack - · PDF file · 2016-02-06word , and login with ... IPv6 is valid! Just saying. ... Microsoft Word - Yahoo Remote Code Execution Snack.docx](https://reader031.vdocuments.us/reader031/viewer/2022022003/5aa36f9c7f8b9a80378e3abb/html5/thumbnails/4.jpg)
Iwasabletocrackoneofthepasswordsquickly,duetoitbeingafour-characterword,andloginwithadministratorprivileges.Thisallowedmetouploada.phpfile
FileUploadRequestandResponse:
![Page 5: Yahoo Remote Code Execution Snack - · PDF file · 2016-02-06word , and login with ... IPv6 is valid! Just saying. ... Microsoft Word - Yahoo Remote Code Execution Snack.docx](https://reader031.vdocuments.us/reader031/viewer/2022022003/5aa36f9c7f8b9a80378e3abb/html5/thumbnails/5.jpg)
The.phpfilethenexecutedmeaningIcoulduploadawebshellandexecutecommandsontheserver
YahooendeduptakingthesiteofflinesevenminutesafterIwasabletoexecutecode.IreportedeveryissueIfoundasIfounditanddidn’tkeepanythingfromthem.Iwasemailingthemtogivethemaheadsupaswell.I’vealwayshadagoodrelationshipwithYahooupuntilthispoint.Theybroughtthesitebackupeitherthenextdayorthedayafterwiththesamepasswordsinplace.IhadunknowinglyleftJTRrunninginatabonmydesktopcrackingtheotherpasswords.
![Page 6: Yahoo Remote Code Execution Snack - · PDF file · 2016-02-06word , and login with ... IPv6 is valid! Just saying. ... Microsoft Word - Yahoo Remote Code Execution Snack.docx](https://reader031.vdocuments.us/reader031/viewer/2022022003/5aa36f9c7f8b9a80378e3abb/html5/thumbnails/6.jpg)
Iloggedinwithanotheradminuserandnoticedtheywereblocking.phpfiles.Iwasabletobypassthisbyuploadingaphpfilewitha.php3extension.Hoorayforblacklists,right?AgainIhadRCEontheserver.Ireportedthisissueagainandwroteupsomeothervulnerabilitiesbeforetheytookthesitedownagain.AtthesametimeIwasalsolookingatothersnacktv.desitesandfoundtwoSSRFs.Ireportedtheseissuesaswellandtheyweremarkedas“notactuallyvalid”.IPv6isvalid!Justsaying.
IwouldliketothankYahooforstringingmealongforthreeweeksaboutthesepayoutsjusttomarkeverythingoutofscopeexceptfortheoneoutofseven.svnreposexposedthatIreportedtothemduringthistimeperiod.