Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Yahoo Fixes RCE Flaw Leading to Root Server Access

A researcher has identified a series of vulnerabilities on a Yahoo service that ultimately allowed him to gain root access to one of the company’s servers.

A researcher has identified a series of vulnerabilities on a Yahoo service that ultimately allowed him to gain root access to one of the company’s servers.

The Egyptian security researcher Ebrahim Hegazy has analyzed the “innovationjockeys.yahoo.net” domain, which is used to host a contest whose goal is to find “India’s most innovative minds across campuses.” The researcher initially uncovered an SQL Injection vulnerability on one of the website’s pages.

By exploiting this security hole, Hegazy managed to gain access to the site’s databases, which included login credentials for an administration panel. The administrator password was encoded in Base64, but the researcher said he was able to decode it.

After identifying the administrator login page, hosted at “innovationjockeys.yahoo.net/admin,” the expert accessed it using the username and password found in the site’s database. Once he obtained access to the administration panel, Hegazy looked for a file upload page in an attempt to execute arbitrary code on the server.

He quickly identified the file upload page, but the PHP files he had uploaded were assigned a “xrds+xml” extension due to the fact that the “Content-Type” header had the value “application/xrds+xml”. By renaming the header in his request to “application/php”, the researcher managed to get his PHP file onto the server.

After finding the remote code execution (RCE) vulnerability, gaining root access to the server was not difficult because the kernel had not been updated since 2012. Hegazy leveraged a local root exploit vulnerability to achieve the task.

The expert reported his findings to Yahoo on September 5, and the company addressed the issue two days later. It appears Yahoo has fixed the issue by restricting access to the administration panel and the page containing the SQL injection vulnerability.

While these are critical vulnerabilities, Yahoo has informed the researcher that his findings are not eligible for a reward.

Advertisement. Scroll to continue reading.

“I find it very strange that Yahoo did not pay a bounty for such Critical bug even if it falls outside the scope. Yahoo pays for Critical vulnerabilities in Out of Scope domains. If a SQLI to RCE to Root Privilege is not a Critical bug, then what could be?!” Hegazy said in a blog post.

This isn’t the first time a researcher gains access to an administration panel on a Yahoo-powered website. Last month, Nathaniel Wakelam, an Australian security researcher who works as a consultant at RMSEC, told SecurityWeek that he had leveraged a non-technical bug to access an admin panel used internally by Yahoo staff.

In June,  California-based security researcher Behrouz Sadeghipour found a vulnerability in the Yahoo Toolbar that generated a stored cross-site scripting (XSS) flaw on several high-profile websites, including Twitter, Amazon, Google and YouTube.

 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

Adam Zoller has joined CrowdStrike as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.