Hello everyone! We can thank for taking the time to read this article. ARTICLE Prior to this, I have found a very strange vulnerability that has successfully attracted my attention. Today, I will share with you some information about the vulnerability in this article. Currently, this loophole has no name, but it has not been reported in the news. Maybe you just think of this vulnerability does not matter now! The reason I want to publish this article, is to tell you, sometimes you just need a little change of their own way of thinking, a different angle to look at something, you will find the existing problems. Concept vulnerability verification examples: In the beginning, I just wanted to find a loophole RFD. Although I did not find, but I found another critical security vulnerabilities. At that time, I was dedicated to racing on a subdomain of Yahoo's website (fantasysports) were analyzed. On this site, the technician can be added to an advance preview of the match video. When I findthis feature safety analysis I found that when end users are previewing the video game or the information, the user's computer will appear in a .pdf file. And this document also caught my attention. Most security managers have recognized the importance of information security awareness, but due to the lack of sufficient reference to best practice standards and methods and do not know how to go to work, and let the information security awareness training to fall into an awkward position. So, I started on this file for analysis and research. In the course of my analysis, I mind suddenly sprouted an idea I think is very interesting, I was not able to call or download a remote file in Yahoo domain name as well? So the question is: how can I do it? The answer is simple. URL address Preview_1.pdf file is as follows: file = preview & amp; race = 1 Now, I can use the URL address of the remote file to call or download files in the Yahoo domain. Then the key to the place, which means that I candirectly replace the Yahoo domain Preview_1.pdf files to other malicious files. For example, I can use malicious file to replace Preview_1.pdf. So, I can use to compress this 7.zip malicious .exe file and uploaded. (Note, however, according to Yahoo's network security policy, you should try to reduce the impact to the end user of this malicious action brought) So, I ended up malicious Payload as follows: file = preview & amp; race = 5 When I press the Enter key, a miracle just happened! Now, I can call other download or domain name of a remote file from the Yahoo domain names. Where is the key question? Because the file invocation mechanism of Yahoo, Yahoo will use in its subdomain URL any similar document in the form of a remote call server file, which also makes the problem becomes more serious. An attacker can use this URL address is sent to the target user, if the user clicks on the URL address, the user's computer will be attacked. The problem how to fix it? 1) Disable previewfunction. 2) a design flaw in the URL address will generate an error message as shown below. Proof of Concept Video: Video address: https: //youtu.be/BAWMgDnwgdI After this I will report to Yahoo's vulnerability security team, security researchers, the team told me that this is a loophole RFD. So I made them send an e-mail, and the message explains the difference between where RFD vulnerability and I have found this loophole between with them. Here, I would like to thank @dsopas, he knows that I want to say. They gave me the reply message is shown below: They explained that this vulnerability is actually an Open Redirect vulnerability. So, I wrote an email asking them to explain what the difference between Open Redirect vulnerability and I have found this loophole between Yes. Finally, they agreed with my point of view, they also recognized the vulnerability neither RFD loophole, nor Open Redirect vulnerability, but a new kind of vulnerabilities.
Subsequently, Yahoo's security team also provided me with some reward. Event Timeline: August 31, 2015: I will submit this vulnerability to Yahoo's security team. September 1, 2015: for the first time received a Yahoo security teams vulnerabilities feedback. February 2, 2016: Yahoo's security team fixes this loophole, and let me wait for notification about the vulnerability reward. February 22, 2016: Yahoo's security team told me it was a RFD vulnerability. February 22, 2016: I explained the difference between RFD vulnerability and vulnerabilities I've found between them. March 8, 2016: Yahoo's security team confirms the vulnerability is not RFD vulnerabilities, and my reply is a Open Redirect vulnerability. March 8, 2016: I explained the difference between Open Redirect vulnerability and vulnerabilities I've found between them. March 11, 2016: Yahoo has released security vulnerability announcement. March 27, 2016: publication of vulnerability information was Original link: http://shield4you.blogspot.sg/2016/03/how-i-able-to-download-any-malicious.html (Editor: An Botao)
I guess you like