Security Experts:

Yahoo Fixes RCE Flaw Leading to Root Server Access

A researcher has identified a series of vulnerabilities on a Yahoo service that ultimately allowed him to gain root access to one of the company's servers.

The Egyptian security researcher Ebrahim Hegazy has analyzed the "innovationjockeys.yahoo.net" domain, which is used to host a contest whose goal is to find "India's most innovative minds across campuses." The researcher initially uncovered an SQL Injection vulnerability on one of the website's pages.

By exploiting this security hole, Hegazy managed to gain access to the site's databases, which included login credentials for an administration panel. The administrator password was encoded in Base64, but the researcher said he was able to decode it.

After identifying the administrator login page, hosted at "innovationjockeys.yahoo.net/admin," the expert accessed it using the username and password found in the site's database. Once he obtained access to the administration panel, Hegazy looked for a file upload page in an attempt to execute arbitrary code on the server.

He quickly identified the file upload page, but the PHP files he had uploaded were assigned a "xrds+xml" extension due to the fact that the "Content-Type" header had the value "application/xrds+xml”. By renaming the header in his request to "application/php", the researcher managed to get his PHP file onto the server.

After finding the remote code execution (RCE) vulnerability, gaining root access to the server was not difficult because the kernel had not been updated since 2012. Hegazy leveraged a local root exploit vulnerability to achieve the task.

The expert reported his findings to Yahoo on September 5, and the company addressed the issue two days later. It appears Yahoo has fixed the issue by restricting access to the administration panel and the page containing the SQL injection vulnerability.

While these are critical vulnerabilities, Yahoo has informed the researcher that his findings are not eligible for a reward.

"I find it very strange that Yahoo did not pay a bounty for such Critical bug even if it falls outside the scope. Yahoo pays for Critical vulnerabilities in Out of Scope domains. If a SQLI to RCE to Root Privilege is not a Critical bug, then what could be?!" Hegazy said in a blog post.

This isn't the first time a researcher gains access to an administration panel on a Yahoo-powered website. Last month, Nathaniel Wakelam, an Australian security researcher who works as a consultant at RMSEC, told SecurityWeek that he had leveraged a non-technical bug to access an admin panel used internally by Yahoo staff.

In June,  California-based security researcher Behrouz Sadeghipour found a vulnerability in the Yahoo Toolbar that generated a stored cross-site scripting (XSS) flaw on several high-profile websites, including Twitter, Amazon, Google and YouTube.

 

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.