27 Jan 2014

Yahoo Remote Code Execution Vulnerability Found via Privilege Escalation

Independent security researcher Ebrahim Hegazy managed to inject code into one of the Yahoo services by manipulating a GET request, according to Softpedia News. Shortly after, he used this vulnerability to escalate its privileges and execute code remotely.

The vulnerability was identified on the “tw.user.mall.yahoo.com” address. The server hosted several other subdomains as well.

“Actually I need a good proof of concept to explain to Yahoo! Security Team how dangerous is this vulnerability, despite the number of Yahoo! sub-domains hosted on the same server,” Hegazy said in a blog post.

First he uploaded a connection script to the “/tmp” directory, then executed it and made a connection with the server. The commands were executed using system($_POST['x2']).He could have gained ROOT access in this case by remote code execution.

The security vulnerability was submitted to Yahoo! on January 20 and was fixed the next day. Yahoo is trying to determine if Hegazy’s discoveries are covered by the bug bounty program.