[Yahoo] Disclosure phpinfo.php file at one of Yahoo's subdomain

Hi there,

This article is about more trivial finding, but nonetheless, misconfiguration was previously missed by other researchers. So, I decided to share it with a public as well.
As I wrote in my previous topic, all my research starts from reconnaissance of a target, and Yahoo was not an exception. When all my 'first round' custom scripts were finished, there were found ~4k subdomains for Yahoo domain, sure thing that not all of them were alive, but still too much... Now the time had come for the 'second round' of custom scripts, one of them is looking for common default files that have incorrect access permissions (e.g. phpinfo.php).

In couple of hours my script detected accessible phpinfo.php file at one of subdomains. My first thought was: "it's probably false-positive detection". But no, indeed, file was accessible at following URL: 'http://druid-hist25.lh.bf1.yahoo.com/phpinfo.php'

Frankly speaking, I was quite surprised by this finding, and due to the fact that I'm reading a lot of blogs written by another researchers. I remembered a finding by Patrik Fehrenbach at his blog post. The vulnerability is totally the same, target is the same, plus scanning whole Yahoo's NetRange for accessible file. My question was "How was the file missed?". In couple seconds I realized that such a huge corporation should probably have another Networks..

The quick ping of 'druid-hist25.lh.bf1.yahoo.com' putted everything into its place.

As you have noticed, subdomain found by me is in another Network than has been scanned by Patrik (CIDR: 98.136.0.0/14). 
Now I need to find out IP range for a Network which contains following IP 74.6.49.57. I did it via whois service, and retrieved following info:
NetRange:       74.6.0.0 - 74.6.255.255
CIDR:           74.6.0.0/16
NetName:        INKTOMI-BLK-6
NetHandle:      NET-74-6-0-0-1
Parent:         NET74 (NET-74-0-0-0-0)

I have dared to 'borrow' Patrik's script and follow by his example - scan all 65,025 IPs. The script executed ~2.5days, but that's fine, because of my non-stop server at DigitalOcean. :) And btw, on a commercial right, I would like to recommend you to use DigitalOcean platform for your remote pentesting server, use my referral link and get 10$ to your account.

Fortunately or unfortunately - I didn't find anything else at that IP range.

RESULTS:

Bounty
Swag
HoF

Always believe in yourself and good luck.

Thanks for your attention.
Stas

[ADOBE] Importance of up-to-date application usage plus complex password OR from directory traversal to admin panel takeover.

Hi all, well, today I would like to start my blog, and hope I will be able to update it from time to time. Unfortunately, I am not quite eloquent, and my posts may seem a bit plain, but I'm going to improve this skill. Finally I found interesting topic to share with a public, at least from my perspective ☺ Hope this article will be motivating and of course useful ;)


HOW DID IT START
In scope of bugbounty hunting, I perform Web application penetration testing for many of companies. A couple month ago my eye fell at Adobe program, but I got quick response from my subconscious: ‘Come on… It’s such a famous company, hundreds of hunters have already tested them, no sense to spend time on it. Forget.’ A month later, leafing through the companies list my eye fell once again, but now I asked myself: ‘Why not?’

Probably would be correctly to start from my approach to pentesting... In my daily work / hunting I always using PTES methodology. In nutshell about PTES: The penetration testing execution standard consists of seven (7) main sections. These cover everything related to a penetration test - from the initial communication and reasoning behind a pentest, through the intelligence gathering and threat modeling phases where testers are working behind the scenes in order to get a better understanding of the tested organization, through vulnerability research, exploitation and post exploitation, where the technical security expertise of the testers come to play and combine with the business understanding of the engagement, and finally to the reporting, which captures the entire process, in a manner that makes sense to the customer and provides the most value to it.

Why do I need it or why it’s useful? Imagine that you are shooting at a target from a distance of 50m, it will be hard to get - right? But if somebody  bring its closer up to 25m – I suppose to hit the target will be much easier. Same here, when you have multiple subdomains to test – much easier to find some interesting stuff.


FINDING
So, first thing that I did is reconnaissance of the target. For this purposes I used multiple DNS enumeration tools, here are couple of them: subbrute, theharvester, etc. Well, let’s move further. During ‘Information Gathering’ PTES phase I have found that ‘lighthouse.adobe.com:8500’ host on 8500 port was vulnerable to Directory listing



As you can see, the latest changes at this host were done at 04/04/11, seems Adobe forgot about this site at all.. So, there a chance to find running outdated services. After some time of investigation - I have found admin panel login page, and yes, application was running at ‘lighthouse.adobe.com:8500’ outdated (latest version of ColdFusion at the time of writing is 13):



First thing that came to my mind – check exploits online for ColdFusion 9. As turned out – there are plenty of them, ColdFusion 9 is vulnerable to the following security vulnerabilities: DoS, Information Disclosing, XSS, CSRF, Administrative login Bypass, Directory Traversal, etc. That is interesting… Sure thing that my first try was to find exploit for ‘Administrative login Bypass’, it was easy to find plus as turned out, metasploit already has embedded module for it: exploit/multi/http/coldfusion_rds. Unfortunately I was failed to exploit this particular metasploit module… Time to re-read description of exploit ☺

Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication using the RDS component. Its password can by default or by misconfiguration be set to an empty value. This allows you to create a session via the RDS login that can be carried over to the admin web interface even though the passwords might be different. Therefore bypassing authentication on the admin web interface which then could lead to arbitrary code execution.

So, seems administrator disable RDS at ColdFusion and I’m not able to use this exploit. Ok, move further, application is still vulnerable to plenty of vulnerabilities.  There is one more stuff, Directory Traversal, how can I exploit it, and is there any exploits online? Yes, here is one more exploit: https://www.exploit-db.com/exploits/14641/. Run it against of our target, and, vuala – we got hash value of our password: 50A826CED903EFF995651D65C21B5A6F67D9616A



According to the size and length of the hash - seems password is encrypted via SHA-1. For decrypt purpose I will use https://hashkiller.co.uk/sha1-decrypter.aspx. Wow, password was successfully decrypted: slapstick.




POST-EXPLOITATION:
Being as an Ethical Hacker – here my work is over, I will not harm the server – I just notified Abode security team regarding this breach. It was the fastest ever report triggering (~1.5 min)



About fix, I can say nothing much, because Adobe just turned off the application runned at 8500 port.


CONCLUSION:
Two ridiculous things that I  found here:
- The Adobe, who are the owners of ColdFusion Application Server have runned out-of-dated version;
- Complexity of the password was suck, as for such a company.


RESULTS:
In 3 days of penetration testing against Adobe, I was able to find:
- Admin panel takeover;
- 4 Stored XSS;
- 6 Directory Listings;
- 1 sensitive world-accessible config file;
- E-Mail Content Spoofing;
- 4 other minor server misconfiguration.

I suppose there could be found more interesting things, but to my big disappointment – Adobe doesn’t have any monetary rewards.. But still that is great start for me, since now you can find my name on their acknowledgement web-page

Bounty
Swag
HoF

REFERENCES:
Unfortunately, I found this presentation after whole my research, but I guess it will be useful to leave it here: http://www.carnal0wnage.com/papers/LARES-ColdFusion.pdf

Always believe in yourself and try yourself, even against such a huge and famous companies.

Good luck! :)

Thanks for your attention.