Oath: Local File Include on marketing-dam.yahoo.com

ID H1:7779
Type hackerone
Reporter redshark1802
Modified 2014-05-16T17:58:40


Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program. Local File Include vulnerability on marketing-dam.yahoo.com

The vulnerable end-point is marketing-dam.yahoo.com/DLMExt/DLAgent?dlurl=, usually the get parameter for dlurl looks like this: 8lcO%3A%2F%2F0w.QbN.0.*Q%3Anbbn0%2FPSID%3Fz8A%3DAxT_DIfP7_UO9Y6I_hD67IdcI%26Ujd%3DlpxBXLmiKWMPRwUsLpu8cZ%26hj%3DaR9UU_hI-q5_UjP.W7U When this get-parameter is url-decoded, the follwing "sub"get-parameter are visible: z8A, Ujd, hj. The vulnerable parameter is hj, which is usually encrypted and reflected as the filename to be downloaded.

The parameter is encoded using ecb-encryption with a blocksize of 32 characters-

I've mapped the chracters using requests like this 'aaaaaaaaaa...'(32 characters) and the server responded with: 'aTYUYTSaTZUYVZTaUZVYWWXTZVYXUTZS'. Now when I want to insert a 'T' at position 2 of the block I knew I had to use the charcter 'a'.

This way I was able to craft encrypted strings on the fly (see Steps to reproduce and my attached poc) which were decrypted by the server and directly used to load the file from the filesystem.

Since the webserver used to serve the files is running as root, I was able to actually read not just the usal /etc/passwd but /etc/shadow. Unfortunately, I was not able to get code execution on the server, but given enough time an attacker could quite surely exfiltrate enough informaton from the system (since the server is running as root) to perform remote code execution.

Steps to reproduce: got to https://brandtoolkit.yahoo.com/ and request a download for any file the download popup should appear, take the url and save it for later

Use my poc to encrypt the following string: /../../../../../../../../etc/passwd, or use this already encrypted string /../../../../../../../../79d/zGcIwd (Please note that this poc is writen with node-js in mind, but the function ecnrypt should run in any other js-environment as long as you copy the blocks object with it) replace the string after hj%3D with the encrypted string in the saved download-url after executing the "download" you will see the contents of /etc/passwd

Since I don't want to post any critical information that could be used after the vulnerability has been fixed I'm not attaching the /etc/passwd file, but I'm going to give you the length of the file, which is 610. This way you can probably more quickly verify this vulnerability.