Yahoo Image Processing SSRF/XSPA

In this blog post I will be showing a few recent vulnerabilities reported and patched by the Yahoo Security Team. In July of 2014 I was able to identify a SSRF vulnerability affecting all of Yahoo’s services that required an image processing (such as flickr and Yahoo groups). This vulnerability was patched a few weeks ago (June 2015). Now let’s get to the good stuff:

All older posts have been moved to archive.nahamsec.com

YIMG SSRF/XSPA and XSS:

Flickr allows users to use the IMG tag in the comments section as well as the Flickr group rules. When the picture is posted (whether it’s via comments or in the group’s info/rules) it gets processed and posted like this:

https://ec.yimg.com/ec?url=http%3A%2F%2Fnahamsec.com%2F2.gif&t=1404282499&sig=gDQqxuPTgioR4SoCGeuIZg–~B

Where 5.gif is a an HTML file with a few XSS payloads (which weirdly enough gets parsed on their servers).

Seeing that I decided to play around with the processor which oddly enough was stripping off any word before :// and making it impossible for me to read local files using file://path/to/file which leads on to the next attack: Cross Site Port Attacks.  The trick to this vulnerability is that you can’t simply just replace the url parameter to your designated URL and had to create new comments/rules with different targets which resulted in requesting:

hXtps://ec.yimg.com/ec?url=http%3A%2F%2Fnahamsec.com%3A22&t=1412102561&sig=zY7a9hM3xmRYvX05Avis9A–~B

 

as well as:

https://ec.yimg.com/ec?url=http%3A%2F%2Flocalhost%3A22&t=1412569827&sig=TyFD2z3x5eqUWlF1PtgMKA–~B

Screen Shot 2015-06-21 at 6.16.46 PM

 

After being able to find this issue I was able to reproduce the same exact thing while inserting an image in Yahoo Groups:

 

Timeline:
2014-07-01 Reported
2014-07-11 Marked as N/A by Yahoo!
2014-07-15 Triaged
2014-11-21 – 2015-06-03 Direct communication via Twitter in regards to the vulnerability (Big thanks to Junot)
2015-07-10 Fixed

Leave a Reply