Remote Code Injection Vulnerability Found on Yahoo, Microsoft and Orange Subdomains

A Remote code injection vulnerability was found on the subdomains of Yahoo, Microsoft and Orange by being escalated from an Unauthorized Admin Access, according to Ibrahim Hegazy’s blog post.

A fix has been issued for the vulnerability from Yahoo and Microsoft.

Hegazy found the Unauthorized Admin Access during his research in the Yahoo Bug Bounty Program, as the administrator panel never requested login credentials.

Image Credits: Security Down

“Of course I could have created that file with a code to give me Remote Command Execution Privilege, but I saw it was a good/enough POC,” Hegazy said. “Imagine a Black-Hat with this vulnerability, creating his ËœIframed` aspx page with its malicious content on such highly ranked/trusted domains of Yahoo.net MSN.com Orange.es and more!!”

The vulnerability originated from the content delivery service that supplied Yahoo, Microsoft and Orange subdomains with horoscope data.

Image Credits: Security Down

It enabled the arbitrary code execution just by uploading ONE “.aspx” file that would then affect all subdomains, as follows:

Yahoo:

http://pe.horoscopo.yahoo.net

http://mx.horoscopo.yahoo.net

http://ar.horoscopo.yahoo.net

http://co.horoscopo.yahoo.net

http://cl.horoscopo.yahoo.net

http://espanol.horoscopo.yahoo.net

Microsoft MSN:

http://astrocentro.latino.msn.com/

http://astrologia.latino.msn.com/

http://horoscopo.es.msn.com/

http://horoscopos.prodigy.msn.com

Orange:

http://astrocentro.mujer.orange.es

This is a good example on how Bug Bounty Programs enable researchers to find and report vulnerabilities before they are exploited for malicious purposes. In the worst case scenario, if this vulnerability were found by cyber-criminals, it could have affected countless users.