Google+ Followers

Tuesday, 28 January 2014

Facebook Hacker received $33,500 reward for Remote code execution vulnerability

Facebook has paid out its largest Bug Bounty ever of $33,500 to a Brazilian security researcher for discovering
and reporting a critical Remote code execution vulnerability, which potentially allows the full control of a
server.

In September, 'Reginaldo Silva' found an XML External Entity Expansion vulnerability affecting the part of Drupal
that handled OpenID, which allows attacker to read any files on the webserver. As a feature, Facebook allows users to access their
accounts using OpenID in which it receives an XML document from 3rd service and parse it to verify that it is
indeed the correct provider or not i.e. Receives at https://www.facebook.com/openid/receiver.php

In November 2013, while testing Facebook's 'Forgot your
password' functionality, he found that the OpenID process could be manipulated to execute any command on the Facebook server remotely and also allows to read
arbitrary files on the webserver. In a Proof-of-Concept, he demonstrated that how an attacker can read the content of 'etc/passwd' file from Facebook's server just by manipulating the OpenID
request with malicious XML code, and in order to extract the essential login information such as system
administrator data and user IDs.

After receiving bug reports from Silva, the Facebook Security team immediately released a short term patch
within 3.5 hours, described as:

"We use a tool called Takedown for this sort of task because it runs on a low level, before much of the request
processing happens. It allows engineers to define rules to block, log and modify requests. Takedown helped us
ensure this line of code ran before anything else for any requests hitting /openid/receiver.php."

The Facebook team determined that the vulnerability could have been escalated to a remote code execution
issue, and rewarded Silva accordingly after patching the
flaw.

No comments:

Post a Comment