A remote code execution vulnerability to fix Yahoo, Microsoft, and Orange

Source: Internet
Author: User
Tags subdomain subdomain name

Preface:
An Egyptian hacker uploads a file and wins websites owned by many large manufacturers. In addition, this buddy is very funny and has a comedy effect. Here is the original English text.
Body:
Hello, everyone. Today I will show you a Remote Code Injection caused by "Unauthorized Admin Access". I used this vulnerability to fix Yahoo, microsoft and Orange websites.
Incredible, isn't it? Below is the time to witness the miracle. One day I made a mess on the yahoo page and found this page when I was looking for the management background. (Here ymx stands for my own account) http://mx.horoscopo.yahoo.net/ymx/editor/
Log in without any authentication. I thought he would say "Unauthorized Admin Access AKA Indirect Object Reference.



Have you seen the file list on the left? I can also create a similar aspx file. First, intercept the data submitted by POST.


You can see that the POST: FileName = zigoo. aspx & FileContent = zigoo line is clear. I can use any content to replace it. (It's a bunker. You have wood !)


Let me just write something. This proves the existence of the vulnerability.

Next let's look for the evil ones and find out which sub-domain names have this vulnerability:
# Yahoo:
Http://pe.horoscopo.yahoo.net
Http://mx.horoscopo.yahoo.net
Http://ar.horoscopo.yahoo.net
Http://co.horoscopo.yahoo.net
Http://cl.horoscopo.yahoo.net
Http://espanol.horoscopo.yahoo.net
# Microsoft MSN:
Http://astrocentro.latino.msn.com/
Http://astrologia.latino.msn.com/
Http://horoscopo.es.msn.com/
Http://horoscopos.prodigy.msn.com
# Orange:
Http://astrocentro.mujer.orange.es
When I tested these websites, I found another one for NB! Day! Big! Secret! Password! As long as I create this page under a subdomain name, other subdomain names will also be automatically recruited. You can beat the ox in the mountains.
As a result, I reported this vulnerability to Microsoft. Microsoft calmly replied, "we will investigate it." Well, let them investigate it slowly. Let's guess how this happens in a dozen or a hundred times. I guess it is a CDN server that provides cached content to all sub-domain names, so a file appears under a domain name, and all other domain names will be affected.
The following is a POC video:
Finally, let's make a try:
# Yahoo_Case
Yahoo did not pay a reward for the vulnerability, but the vulnerability discovered by brother involved six subdomains, which had a huge impact. So they prepared and rewarded me with the reward.



# MSN_Case
I asked Microsoft to ask for a prize. As a result, Microsoft never gave me a bird, and they must have secretly fixed the vulnerability. WTF
# Orange_Case
Connecting to Orange is simply a hell‑level difficulty, so I gave up. But fortunately, Microsoft released a patch to fix all servers, including Orange.
 
 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.