Sourav Sahana

@pocdork

Sourav Sahana Uncategorized BLH to User lv RCE | $1000 Facebook Bug

BLH to User lv RCE | $1000 Facebook Bug

Hello everyone, Hope you all are good. As I promised I’ll upload all my report/write up to my site one by one so here it is another one.

I found this issue two times in Facebook’s GitHub page. I’ll explain one by one everything. So seat back and enjoy…

Hope you all know about BLH (Broken Link Hijacking), if don’t then please read this blog first: https://edoverflow.com/2017/broken-link-hijacking/ .

First Report:

I love manual GitHub recon. So I was checking all s3 buckets present on facebook GitHub Page , And found a bash script that contains below code:

#!/bin/bash
# Copyright 2004-present Facebook. All Rights Reserved.
wget "https://s3.amazonaws.com/fair-data/memnn/kvmemnn/output.tar.gz" \
&& tar -xzvf output.tar.gz && rm output.tar.gz

If you ever found any BLH don’t just report it before thinking about the impact. You can see that the script is importing an external zip file from a s3 bucket names: fair-data after that unzipping the file. But where is the impact? An attacker may place another malicious script inside the zip file and user will execute the script.

Replay from Facebook:

After reviewing this issue, we have decided to award you a bounty of $500. Below is an explanation of the bounty amount. Facebook fulfills its bounty awards through Bugcrowd.

S3 bucket takeover, usually these submissions are low impact and not eligible for our whitehat report, but in this case, the bucket contains an executable shell script that could be run by other people.

…..

Second Report:

Now, the impact if this 2nd issue is more dangerous that previous one. I was visiting all facebook’s product page. When I came to this page: https://pyrobot.org/docs/faq , I found below instruction written on the page:

echo 'deb http://realsense-hw-public.s3.amazonaws.com/Debian/apt-repo xenial main' | sudo tee /etc/apt/sources.list.d/realsense-public.list
sudo apt-key adv --keyserver keys.gnupg.net --recv-key 6F3EFCDE
sudo apt-get update
sudo apt-get install intel-realsense-dfu*
cd ~/Downloads
wget https://downloadmirror.intel.com/28573/eng/D400_Series_Development_FW_5_11_4.zip
unzip D400_Series_Development_FW_5_11_4.zip
lsusb #find out the bus and device numbers for realsense camera
# use the bus and device numbers in the following command (e.g. -b 002 -d 003)
intel-realsense-dfu -b <bus number> -d <device number> -f -i Signed_Image_UVC_5_11_4_0.bin

See the first line, It was echo 'deb http://realsense-hwpublic.s3.amazonaws.com/Debian/apt-repo xenial main' before.

Can you see the difference? The bucket is owned by Intel but the developer just forgot place a hyphen ( – ) . So Again I got a bucket not found error page.

What was the impact? I’s directly adding an entry in the Linux sources.list.d directory and you can imagine what will happen when user will run this command: $apt-get update

Replay From Facebook:

After reviewing this issue, we have decided to award you a bounty of $500. Below is an explanation of the bounty amount. Facebook fulfills its bounty awards through Bugcrowd and HackerOne.

You discovered an unclaimed S3 bucket that was part of a script in one of our public repositories.

Thanks for reading. Happy hacking…

Leave a Reply

Your email address will not be published. Required fields are marked *

TopBack to Top