Another
now-closed bug in Yahoo's servers have revealed that it was running an old
server kernel allowing root access to its system, according to security
researcher Ebrahim Hegazy.
Hegazy found that
by manipulating one of the parameters in the URLs used in Yahoo Mail, he could
cause the server to execute system commands remotely.
On Yahoo's
end, the parameter is used within a php eval() function, which takes a strings
(the parameter Hegazy manipulated) and executes it as php code. The documentation for the php function explicitly warns against its use where
possible, and where there is no other option, that the string passed to eval()
is validated carefully.
This validation process appears not to have happened, with Hegazy
able to use a combination of print() and system() functions to execute commands
and return the results.
At this point, Hegazy was able to execute any code with the same
privileges as the account start started the web server, including listing
running processes, logged in users, and directory contents.
However, he later discovered that the server kernel being used was
outdated and contained a vulnerability that would have allowed him to escalate
the privileges of the web server account and gain root access.
Hegazy reported his findings to Yahoo on January 20 and the next
day they responded and issued a fix.
The
vulnerability comes only a week after it was revealed that Facebook too had a
vulnerability that could have allowed for remote code execution on its servers.
In that case, Facebook closed the hole within hours and paid the
researcher US$33,500.
Yahoo has emailed Hegazy, stating that if his bug falls within the
scope of its bug bounty, someone will soon be in contact about a reward.
SOURCE: ZDnet
previous article
Newer Post
No comments
Post a Comment