Categories: Hacking

Remote code injection in Microsoft, Yahoo and Orange subdomains

Security researcher Ebrahim Hegazy has identified a remote code injection vulnerability affecting several subdomains of Microsoft, Yahoo, Orange and others. Fortunately, the security Vulnerability has been fixed.

While participating in the Yahoo Bug Bounty program, Hegazy has found a “Unauthorized Admin Access” Vulnerability in one of Yahoo domains “mx.horoscopo.yahoo.net.”, that vulnerability led him to find “Remote Code Injection” Vulnerability where he can create ASPX files on the server, Remote Code Injection Vulnerabilities allow attackers to create files with the ability to run system commands on the vulnerable servers, also to edit the files and read data from Databases hosted on the vulnerable server.

Once he identified the remote code injection vulnerability, he attempted to determine if other Yahoo subdomains were affected. Much to his surprise, he found that also subdomains of Microsoft’s MSN and French telecoms company Orange is Vulnerable to the same Vulnerability.

The affected subdomains were for horoscopes and astrology service and below is the list of the vulnerable domains:
#Yahoo:
http://pe.horoscopo.yahoo.net
http://mx.horoscopo.yahoo.net
http://ar.horoscopo.yahoo.net
http://co.horoscopo.yahoo.net
http://cl.horoscopo.yahoo.net
http://espanol.horoscopo.yahoo.net
#Microsoft MSN:
http://astrocentro.latino.msn.com/
http://astrologia.latino.msn.com/
http://horoscopo.es.msn.com/
http://horoscopos.prodigy.msn.com
#Orange:
http://astrocentro.mujer.orange.es

“The shocking thing here is that I don’t have to upload/create my page on every domain to make a good POC! Because once I created that page on one of the Yahoo domains mentioned above, I found that my page has been created on ALL SITES hosted on the same server, Yahoo, MSN, Orange and others,” Researcher noted.

“Imagine a Black-Hat with this vulnerability, creating his ‘Iframed’ aspx page with its malicious content on such highly ranked/trusted domains of Yahoo.net MSN.com Orange.es and more!!” he adds.

Hegazy posted below video as a Proof Of Concept for the Vulnerability:
He reported the found vulnerability to Microsoft and they fixed the vulnerability without appropriate reward to his report, same thing with Orange, But Yahoo has rewarded the researcher for his report despite that vulnerabilities in Yahoo.net is out of the scope for Yahoo bug bounty Program.

For additional technical details on these vulnerabilities, visit Hegazy’s blog post.

Pierluigi Paganini

(Security Affairs – hacking, remote code injection)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.