Single RCE Vulnerability that affects Microsoft, Yahoo and Orange

Ebrahim Hegazy, a Bug Bounty Hunter from Egypt, has identified a security vulnerability that allowed him to hack Microsoft, Yahoo and Orange.

While he is on the hunt for a security bug in Yahoo domains, he found a web page that allowed him to upload .aspx file and modify the existing aspx files. 

You can just create a new file by sending POST request to the URL " http://mx.horoscopo.yahoo.net/ymx/editor/inc/GenerateFile.aspx" with the following post content: "FileName=New_File_Name.aspx&FileContent=File_Content_Here".

Ebrahim has simply uploaded a file called 'zigoo.aspx' with 'zigoo' as content.  To find out other Yahoo domains that were affected by the same vulnerability, researcher did a Bing search.

The following domains were also affected by this bug: **.horoscopo.yahoo.net, astrocentro.latino.msn.com, horoscopo.es.msn.com, astrologia.latino.msn.com, horoscopos.prodigy.msn.com and astrocentro.mujer.orange.es.

Interesting fact about this vulnerability is that the page created in Yahoo domain reflected in other domains also.

"It’s A CDN(Content Delivery Network) Service for astrology that cashes the same content to render it for the sub domains of that mentioned vulnerable domains, So all files on one domain will be shown on all other domains on the server." Researcher says.

After reporting to Yahoo, Yahoo has rewarded the researcher with some bounty.  As usual, Microsoft didn't give any reward to the researcher.

Earlier this year, Ebrahim discovered a critical Remote PHP Code Injection vulnerability in one of the Yahoo domains. 

Ebrahim Hegazy discovered PHP Code Injection Vulnerability in Yahoo

PHP Code Injection vulnerability

 A Web application penetration tester, Ebrahim Hegazy, has discovered a critical remote PHP code injection vulnerability in the Yahoo website that could allowed hackers to inject and execute any php code on the Yahoo server.

The vulnerability exists in the Taiwan sub-domain of the Yahoo "
http://tw.user.mall.yahoo.com/rating/list?sid=[CODE_Injection]".  The 'sid' parameter allows to inject PHP code.

According to his blog post, the sid parameter might have been directly passed to an eval() function that results in the code Injection.

In his demo, Ebrahim showed how he to get the directories list and process list by injecting the following code:
http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system(“dir”))}
http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system(“ps”))}

He also found out that Yahoo server is using an outdated kernel which is vulnerable to "Local Privilege escalation" vulnerability.

Yahoo immediately fixed the issue after getting the notification from the researcher.  However, he is still waiting for the Bug bounty reward for the bug.  Google pays $20,000 for such kind of vulnerabilities. Yahoo sets the maximum bounty amount as "$15,000".  Let us see how much bounty Yahoo offers for this vulnerability.

POC Video:


Last month, German Security researcher David Vieira-Kurz discovered similar remote code execution vulnerability in the Ebay website.