In September, 'Reginaldo Silva' found
an XML External Entity Expansion vulnerability affecting the part of
Drupal that handled OpenID, which allows attacker to read any files on the
webserver.
As a feature, Facebook allows users
to access their accounts using OpenID in which it receives an XML document from
3rd service and parse it to verify that it is indeed the correct provider or
not i.e. Receives at https://www.facebook.com/openid/receiver.php
In November 2013, while testing
Facebook's 'Forgot your password' functionality, he found that the
OpenID process could be manipulated to execute any command on the Facebook
server remotely and also allows to read arbitrary files on the webserver.
In a Proof-of-Concept, he
demonstrated that how an attacker can read the content of 'etc/passwd'
file from Facebook's server just by manipulating the OpenID request with
malicious XML code, and in order to extract the essential login information
such as system administrator data and user IDs.
"Since I didn't want to
cause the wrong impressions, I decided I would report the bug right away, ask
for permission to try to escalate it to a [remote code execution] and then work
on it while it was being fixed," he said.
After receiving bug reports from
Silva, the Facebook Security team immediately released a short term patch within 3.5 hours,
described as:
"We use a tool called
Takedown for this sort of task because it runs on a low level, before much of
the request processing happens. It allows engineers to define rules to block,
log and modify requests. Takedown helped us ensure this line of code ran before
anything else for any requests hitting /openid/receiver.php."
The Facebook team determined that
the issue could have been escalated to a remote code execution issue, and
rewarded Silva accordingly after patching the flaw.
0 comments :
Post a Comment