RCE on Yahoo Luminate
This is a writeup for another vulnerability that was found during my work in testing security of Luminate & Yahoo in general. During my test, I targeted multiple applications and assets of Luminate. This included the addons, services and softwares that Luminate provided.
This writeup is written with help of Joel Margolis (teknogeek) because this vulnerability was found while working with him.
During my recon process, I landed on a website of Luminate where it was showcasing a SiteBuilder software that they had built. With this software, admins & owners could download the source code of their website, edit it and then publish it. This basically reduced the work of having to login to Luminate then go to web hosting and then editing the file.
I downloaded the exe installer and installed the program. At first, I was not sure exactly how this was running. I reached out to Joel and ask him if he wanted to work on this together.
Breaking the exe file to understand the app
Exploiting ahead after breaking the exe file.
After we broke the exe file, it was discovered that during the installation, the installer will request a .jnlp file. Jnlp is basically an extension for a java program. We were able to then grab the .jar version of it once the program installed. We then approached this software by chaining two different approach: Source Code Analysis -> UI Testing
For source code analysis, we decompiled the jar file and grabbed its source code. Once we had that, we could work on finding vulnerabilities and testing them with the UI to confirm it. When checking the source code, Joel pointed out a flaw in how the hyperlink worked in it.
If a hyperlink was in the page and the owner/admin/user wanted to see how the hyperlink worked then they could preview it. This loaded a web browser and showed the content of the link. When checking the source code we found out the following issue:
- When the link is clicked, it makes a request to select which browser to open. If the browser is installed in the system it would process the request.
- To send the request, it was sending command through cmd.exe by making a request to it and sending the url with it: (Image below)
urlwas not sanitized which means that if a malicious link was there it could be exploited easily. Unfortunately, there were some checks on it which we had to bypass.
To exploit this properly, we needed to bypass a simple regex they had. For example if there was any link that did not follow the regular http://[domain.com] example it would not allow it. However, Joel noticed that putting %00%00 could do the magic so in the end we had a hyperlink of https://%00%00c:/../../../../windows/system32/calc.exe When the link was clicked, it would open calculator:
To improve this attack from admin->owner to random user->owner, we decided to test the main website of Luminate and found some vulnerabilities in the web app and tools it had in general. This would allow another user to grab admin privilege in installed addons and upload the malicious file.
Exploiting from Random user to Owner
Yahoo's Luminate by default gives website additional features that are vulnerable to attacks like SQL Injection. In this case, it was possible SQL Injection to dump a credential for the authorized user and then to upload the malicious file. This will allow to exploit this every time an owner opened the site page in the site builder program.
September 18, 2017 — Reported to Luminate
September 18, 2017-Report Triage and initial bounty paid
October 2, 2017-Information provided that escalated the issue from
admin->owner to random_attacker->owner