Categories: HackingSecurity

Yahoo SQL Injection flaw allows Remote Code Execution and privileges scalation

The Egyptian hacker Ebrahim Hegazy has discovered a critical Yahoo SQL Injection flaw exploitable to Remote Code Execution and privilege escalation.

My readers know very well the Egyptian hacker Ebrahim Hegazy, he is a great security expert and a friend of mine, which disclosed numerous critical flaws in most popular web services, including Microsoft, Yahoo and Orange.

Last discovery of the cyber security expert is a SQL Injection in a Yahoo service that could be exploited by an attacker to Remote Code Execution and Escalated to Root Privilege on one of Yahoo servers.

As explained in his blog post, Ebrahim started his analysis from the domain: http://innovationjockeys.yahoo.net/, in particular while he was examining the HTTP POST requests he noticed something that could be exploited for SQL Injection attack:

http://innovationjockeys.net/tictac_chk_req.php
POST:
f_id=9631

After a few manual tests and with the use of SQLMap, the hacker confirmed the presence of a flaw in the Yahoo system:

http://innovationjockeys.net/tictac_chk_req.php
 POST:
 f_id=-9631′ OR (2777=2777)#
Available Databases:
 [*] information_schema
 [*] innovation******* #Hiding dbnames for Yahoo privacy.
 [*] web****

It was a joke for the expert to read data stored in the database with SQL Injection attack, at this point Ebrahim once gathered the administrator credentials from the database he was able to decode them despite it was encoded as Base64.

Ebrahim used the credentials to access the admin panel that he discovered

1- Admin panel found on: http://innovationjockeys.yahoo.net/admin/

2- I found the Administrator Password stored in the database and it was encoded as Base64

Good, I’ve decoded the Administrator Password, Logged in to the Admin panel.

At this point the expert tried to trigger a Remote Code Executionuploading his content.

“That said, I’ve found a upload page, but after uploading a file with “phpinfo();” function as a content,
I found that my uploaded file was named as: page_d03b042780c5071521366edc01e52d3d.xrds+xml instead of being page_d03b042780c5071521366edc01e52d3d.php?!” states Hibrahim in the blog post.

Inspecting the uploading request, the expert discovered the cause of the problem in the “Content-Type” Header!

Renaming the “Content-Type” Header to be “application/php” the problems was solved.

Ebrahim demonstrated the possibility to exploit the flaw for a SQL Injection attack and a Remote code Execution, he closed his post explaining how to gain the Root access on the targeted server. The hacker discovered that the server kernel was updated last time on 2012, it is amazing. It was quite simple to gain Root privileges with a Local root exploit vulnerability due the presence of non-patched kernel.

Below the Time-line of the vulnerability management:

2014-09-05 Initial report to Yahoo

2014-09-06 Yahoo confirmed the vulnerability

2014-09-07 Yahoo Fixed the Vulnerability

2014-09-19 Yahoo announced me that this vulnerability is not eligible for a reward!!!

Let me close with a polemic observation, how is it possible to discover a server non-patched since 2012? Why Yahoo did not pay a bounty for such critical bug even if it fall outside the scope? Does Yahoo consider a SQLI to RCE to Root Privilege not a critical bugs?

Pierluigi Paganini

(Security Affairs – Yahoo, Sql Injection)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

12 mins ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

12 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

16 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

21 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.