14 DAY TRIAL // Security researcher Ebrahim Hegazy identified a remote code injection vulnerability affecting several subdomains of Yahoo, Orange, Microsoft and possibly others. Fortunately, the security hole has been fixed.
The expert discovered the flaw while analyzing a Yahoo Mexico subdomain, mx.horoscopo.yahoo.net. Here, he identified an administrator panel that could be accessed without login credentials. The researcher calls this an “Unauthorized Admin Access” or an “Indirect Object Reference” issue.
From this panel, Hegazy managed to upload his own aspx file on the server. The file could contain code that would enable an attacker to execute arbitrary code, the expert notes in a blog post. However, the file he uploaded for research purposes only contained a simple string.
Once he identified the vulnerability, he attempted to determine if other Yahoo subdomains were affected. Much to his surprise, he found not only Yahoo subdomains, but also subdomains of Microsoft’s MSN and French telecoms company Orange.
The affected subdomains were for horoscopes and astrology. The list includes the following: pe.horoscopo.yahoo.net, ar.horoscopo.yahoo.net, co.horoscopo.yahoo.net, cl.horoscopo.yahoo.net, astrocentro.latino.msn.com, astrologia.latino.msn.com, horoscopo.es.msn.com, horoscopos.prodigy.msn.com, and astrocentro.mujer.orange.es.
The services appear to be for Spanish-speaking users. Six Yahoo, four MSN, and one Orange subdomains were affected.
“The shocking thing here is that I don’t have to upload/create my page on every domain to make a good POC! Because once I created that page on one of the Yahoo domains mentioned above, I found that my page has been created on ALL SITES hosted on the same server, Yahoo, MSN, Orange and others,” the expert notes.
“Imagine a Black-Hat with this vulnerability, creating his ‘Iframed’ aspx page with its malicious content on such highly ranked/trusted domains of Yahoo.net MSN.com Orange.es and more!!” he adds.
Hegazy believes that the vulnerability affects a large number of subdomains because they rely on a sort of CDN (content delivery network) for an astrology service.
He reported his findings to Microsoft, Yahoo and Orange. Orange hasn’t responded to his notification. Yahoo has decided to reward the expert, despite the fact that the vulnerability is normally out of scope.
Microsoft hasn’t rewarded the researcher, but the company has pushed out a fix that addresses the issue for all servers that use the astrology service, including Orange.
For additional technical details on these vulnerabilities, visit Hegazy’s website, Sec-Down.com. You can also check out the proof-of-concept video published by the expert.
