-->

Follow Me

Thursday 30 January 2014

Remote code execution bug in Yahoo servers leads to root access

Another now-closed bug in Yahoo's servers have revealed that it was running an old server kernel allowing root access to its system, according to security researcher Ebrahim Hegazy.
Hegazy found that by manipulating one of the parameters in the URLs used in Yahoo Mail, he could cause the server to execute system commands remotely.
On Yahoo's end, the parameter is used within a php eval() function, which takes a strings (the parameter Hegazy manipulated) and executes it as php code. The documentation for the php function explicitly warns against its use where possible, and where there is no other option, that the string passed to eval() is validated carefully.
This validation process appears not to have happened, with Hegazy able to use a combination of print() and system() functions to execute commands and return the results.
At this point, Hegazy was able to execute any code with the same privileges as the account start started the web server, including listing running processes, logged in users, and directory contents.
However, he later discovered that the server kernel being used was outdated and contained a vulnerability that would have allowed him to escalate the privileges of the web server account and gain root access.
Hegazy reported his findings to Yahoo on January 20 and the next day they responded and issued a fix.
The vulnerability comes only a week after it was revealed that Facebook too had a vulnerability that could have allowed for remote code execution on its servers.
In that case, Facebook closed the hole within hours and paid the researcher US$33,500.
Yahoo has emailed Hegazy, stating that if his bug falls within the scope of its bug bounty, someone will soon be in contact about a reward.
SOURCE: ZDnet


previous article
Newer Post
next article
Older Post



Post a Comment

Name

Email *

Message *