Ivan Novikov, profile picture
Uploaded byIvan Novikov
2,200 views

Yandex rewards. ONsec experience

The document summarizes the history of Yandex's bug bounty program and ONsec Lab's experience finding vulnerabilities in Yandex systems between 2011-2013. It describes several vulnerabilities ONsec Lab reported to Yandex, including an XXE issue, an authentication bypass, and a CSRF/XSS collection vulnerability. It provides details on a current "Memcached injection through SSRF" bug and an attempted but failed remote code execution exploit of Yandex's internal Zabbix monitoring system via an SSRF vulnerability.

Embed presentation

Downloaded 32 times
Yandex reward program ONsec experience DEFCON Russia, DCG-7812 21/02/2013 Saint-Petersburg, Yandex
History of Yandex rewards ● 2011, October - November: Yandex's Month of Security Bugs ● Prizes: ○ 1-st @d0znpp (@ONsec_Lab) ○ 2-nd @ASintsov ○ 3-rd @kyprizel (now in Yandex team)
History of Yandex rewards ● 2011, October - November: Yandex's Month of Security Bugs ● Bugs: ○ 1-st Massive XXE ○ 2-nd Auth bypass at mail service ○ 3-rd CSRF/XSS collection at auth system
What about now? ● Bug bounty program every time ● http://company.yandex.com/security/ ● From $100 (A06,10) to $1000 (A01) per bug ● OWASP Top-10 based rating
@ONsec_Lab bugs stats Only server-side - only hardcode!!! ● 20 bugs accepted ● 1 reject as a double ● 11 qualified bugs ● 9 bugs at progress ● 240'000 rub approved, 80'000 paid rewards ● 21'818 rub per bug average ($715)
What about bugs? All our bugs are server-side: ● XXE against - nothing interesting ● Memcached injections through SSRF ● Nice "RCE" story ● Great SSRFs for HITB2013AMS (not now)
Memcached injection through SSRF ● All theory described at our ZeroNights report: www.slideshare.net/d0znpp/ssrf-attacks-and-sockets-smorgasbord-of- vulnerabilities ● Find possibility to write in sockets: ANYPREFIXnyoudatanANYPOSTFIX ● Write it to localhost 11211 port - easy!
Memcached injection through SSRF
Nice "RCE" story: stages ● Determine target ● Find information leaks ● Find vulns ● Find SSRF to exploit vulns ● Exploit vuln through SSRF
Determine target ● Have connections from anywhere in infrastructure ● Have information about all infrastructure ● Monitoring system!
Find information leaks ● Use Yandex to hack Yandex: ● This presentation contain info about Zabbix
Find information leaks ● Use Google to hack Yandex: ● This ticket contained intranet host of Zabbix in Yandex
Find vulns in Zabbix ● Zabbix RCE vulnerability were found ● Presented at ZeroNights 0day show
Find SSRF and exploit it! ● SSRF attack from host which can establish connections to Zabbix host ● SSRF restrictions to make exploitation possible ● And...
Fail!
Not this time ;( ● Our Zabbix RCE exploit doesn't work at Debian systems ● Yandex's zabbix was based on Debian or manually configured ● But we have come a long way and it is worth a look!
We did not give up! ● More exploits and vulns later ● Follow us at HITB2013AMS
??? @ONsec_Lab [http://lab.ONsec.ru] @d0znpp d0znpp@onsec.ru

More Related Content

PDF
Filip palian mateuszkocielski. simplest ownage human observed… routers
byYury Chemerkin
 
PDF
Defcon CTF quals
bysnyff
 
PDF
0Day Hunting A.K.A. The Story of a Proper CPE Test by Balazs Bacsay
byShakacon
 
PDF
0day hunting a.k.a. The story of a proper CPE test
byBalazs Bucsay
 
PDF
RIoT (Raiding Internet of Things) by Jacob Holcomb
byPriyanka Aash
 
PDF
Simplest-Ownage-Human-Observed… - Routers
byLogicaltrust pl
 
PDF
SecurifyLabs & Tiki @ Countermeasure 2014
bysecurifylabs
 
PDF
Software management, the seasonal return of DDoS - This Week in Security.pdf
byLior Rotkovitch
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
byYury Chemerkin
 
Defcon CTF quals
bysnyff
 
0Day Hunting A.K.A. The Story of a Proper CPE Test by Balazs Bacsay
byShakacon
 
0day hunting a.k.a. The story of a proper CPE test
byBalazs Bucsay
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
byPriyanka Aash
 
Simplest-Ownage-Human-Observed… - Routers
byLogicaltrust pl
 
SecurifyLabs & Tiki @ Countermeasure 2014
bysecurifylabs
 
Software management, the seasonal return of DDoS - This Week in Security.pdf
byLior Rotkovitch
 

Similar to Yandex rewards. ONsec experience

PDF
Bug bounty null_owasp_2k17
bySagar M Parmar
 
PPTX
SSRF For Bug Bounties
byOWASP Nagpur
 
PPTX
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
byDan Vasile
 
PDF
NSC #2 - Challenge Solution
byNoSuchCon
 
PPTX
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
byPROIDEA
 
PDF
[Bucharest] #DontTrustTheDarkSide
byOWASP EEE
 
PPTX
Defcamp 2013 - Does it pay to be a blackhat hacker
byDefCamp
 
Bug bounty null_owasp_2k17
bySagar M Parmar
 
SSRF For Bug Bounties
byOWASP Nagpur
 
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
byDan Vasile
 
NSC #2 - Challenge Solution
byNoSuchCon
 
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
byPROIDEA
 
[Bucharest] #DontTrustTheDarkSide
byOWASP EEE
 
Defcamp 2013 - Does it pay to be a blackhat hacker
byDefCamp
 

More from Ivan Novikov

PDF
SSRF workshop
byIvan Novikov
 
PDF
Data normalization weaknesses
byIvan Novikov
 
PDF
Distributed computing in browsers as client side attack
byIvan Novikov
 
PDF
Lie to Me: Bypassing Modern Web Application Firewalls
byIvan Novikov
 
PDF
OpenSSL rands (fork-safe)
byIvan Novikov
 
PDF
How to hack. Cyprus meetup
byIvan Novikov
 
PDF
Where is my silver bullet?!
byIvan Novikov
 
SSRF workshop
byIvan Novikov
 
Data normalization weaknesses
byIvan Novikov
 
Distributed computing in browsers as client side attack
byIvan Novikov
 
Lie to Me: Bypassing Modern Web Application Firewalls
byIvan Novikov
 
OpenSSL rands (fork-safe)
byIvan Novikov
 
How to hack. Cyprus meetup
byIvan Novikov
 
Where is my silver bullet?!
byIvan Novikov
 

Recently uploaded

PPTX
UFCD 0797 - SISTEMAS OPERATIVOS_Unidade Completa.pptx
byscribddobruno
 
PDF
Mulesoft Meetup Online Portuguese: MCP e IA
byPedro Baroni
 
PDF
[BDD 2025 - Mobile Development] Mobile Engineer and Software Engineer: Are we...
bywintari3
 
PDF
[BDD 2025 - Full-Stack Development] Digital Accessibility: Why Developers nee...
bywintari3
 
PPTX
MuleSoft AI Series : Introduction to MCP
byMulesoftMunichMeetup
 
PDF
ODSC AI West: Agent Optimization: Beyond Context engineering
byShashikant Jagtap
 
PPTX
"Feelings versus facts: why metrics are more important than intuition", Igor ...
byFwdays
 
PDF
Parallel Computing BCS702 Module notes of the vtu college 7th sem 4.pdf
byMatheshVishnu
 
PDF
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
PPTX
Leon Brands - Intro to GPU Occlusion (Graphics Programming Conference 2024)
byleonbrands1998
 
PDF
Lets Build a Serverless Function with Kiro
byChris Bingham
 
PDF
Transforming Content Operations in the Age of AI
byEnterprise Knowledge
 
PPTX
Connecting the unconnectable: Exploring LoRaWAN for IoT
byasasiraarthur
 
PDF
MuleSoft Meetup: Dreamforce'25 Tour- Vibing With AI & Agents.pdf
byTintu Jacob Shaji
 
PPTX
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
PDF
The Necessity of Digital Forensics, the Digital Forensics Process & Laborator...
bychrstnpetwinchester
 
PDF
DUBAI IT MODERNIZATION WITH AZURE MANAGED SERVICES.pdf
byLogicEra
 
PDF
The Evolving Role of the CEO in the Age of AI
byPipal Tree Services Executive Search Firm
 
PDF
The partnership effect: Libraries and publishers on collaborating and thrivin...
byBookNet Canada
 
PDF
5 Common Supply Chain Attacks and How They Work | CyberPro Magazine
byCyberPro Magazine
 
UFCD 0797 - SISTEMAS OPERATIVOS_Unidade Completa.pptx
byscribddobruno
 
Mulesoft Meetup Online Portuguese: MCP e IA
byPedro Baroni
 
[BDD 2025 - Mobile Development] Mobile Engineer and Software Engineer: Are we...
bywintari3
 
[BDD 2025 - Full-Stack Development] Digital Accessibility: Why Developers nee...
bywintari3
 
MuleSoft AI Series : Introduction to MCP
byMulesoftMunichMeetup
 
ODSC AI West: Agent Optimization: Beyond Context engineering
byShashikant Jagtap
 
"Feelings versus facts: why metrics are more important than intuition", Igor ...
byFwdays
 
Parallel Computing BCS702 Module notes of the vtu college 7th sem 4.pdf
byMatheshVishnu
 
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
Leon Brands - Intro to GPU Occlusion (Graphics Programming Conference 2024)
byleonbrands1998
 
Lets Build a Serverless Function with Kiro
byChris Bingham
 
Transforming Content Operations in the Age of AI
byEnterprise Knowledge
 
Connecting the unconnectable: Exploring LoRaWAN for IoT
byasasiraarthur
 
MuleSoft Meetup: Dreamforce'25 Tour- Vibing With AI & Agents.pdf
byTintu Jacob Shaji
 
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
The Necessity of Digital Forensics, the Digital Forensics Process & Laborator...
bychrstnpetwinchester
 
DUBAI IT MODERNIZATION WITH AZURE MANAGED SERVICES.pdf
byLogicEra
 
The Evolving Role of the CEO in the Age of AI
byPipal Tree Services Executive Search Firm
 
The partnership effect: Libraries and publishers on collaborating and thrivin...
byBookNet Canada
 
5 Common Supply Chain Attacks and How They Work | CyberPro Magazine
byCyberPro Magazine
 

Yandex rewards. ONsec experience

  • 1.
    Yandex reward program ONsecexperience DEFCON Russia, DCG-7812 21/02/2013 Saint-Petersburg, Yandex
  • 2.
    History of Yandexrewards ● 2011, October - November: Yandex's Month of Security Bugs ● Prizes: ○ 1-st @d0znpp (@ONsec_Lab) ○ 2-nd @ASintsov ○ 3-rd @kyprizel (now in Yandex team)
  • 3.
    History of Yandexrewards ● 2011, October - November: Yandex's Month of Security Bugs ● Bugs: ○ 1-st Massive XXE ○ 2-nd Auth bypass at mail service ○ 3-rd CSRF/XSS collection at auth system
  • 4.
    What about now? ●Bug bounty program every time ● http://company.yandex.com/security/ ● From $100 (A06,10) to $1000 (A01) per bug ● OWASP Top-10 based rating
  • 5.
    @ONsec_Lab bugs stats Onlyserver-side - only hardcode!!! ● 20 bugs accepted ● 1 reject as a double ● 11 qualified bugs ● 9 bugs at progress ● 240'000 rub approved, 80'000 paid rewards ● 21'818 rub per bug average ($715)
  • 6.
    What about bugs? Allour bugs are server-side: ● XXE against - nothing interesting ● Memcached injections through SSRF ● Nice "RCE" story ● Great SSRFs for HITB2013AMS (not now)
  • 7.
    Memcached injection through SSRF ●All theory described at our ZeroNights report: www.slideshare.net/d0znpp/ssrf-attacks-and-sockets-smorgasbord-of- vulnerabilities ● Find possibility to write in sockets: ANYPREFIXnyoudatanANYPOSTFIX ● Write it to localhost 11211 port - easy!
  • 8.
  • 9.
    Nice "RCE" story:stages ● Determine target ● Find information leaks ● Find vulns ● Find SSRF to exploit vulns ● Exploit vuln through SSRF
  • 10.
    Determine target ● Have connections from anywhere in infrastructure ● Have information about all infrastructure ● Monitoring system!
  • 11.
    Find information leaks ● Use Yandex to hack Yandex: ● This presentation contain info about Zabbix
  • 12.
    Find information leaks ● Use Google to hack Yandex: ● This ticket contained intranet host of Zabbix in Yandex
  • 13.
    Find vulns inZabbix ● Zabbix RCE vulnerability were found ● Presented at ZeroNights 0day show
  • 14.
    Find SSRF andexploit it! ● SSRF attack from host which can establish connections to Zabbix host ● SSRF restrictions to make exploitation possible ● And...
  • 15.
  • 16.
    Not this time;( ● Our Zabbix RCE exploit doesn't work at Debian systems ● Yandex's zabbix was based on Debian or manually configured ● But we have come a long way and it is worth a look!
  • 17.
    We did notgive up! ● More exploits and vulns later ● Follow us at HITB2013AMS
  • 18.