Facebook has awarded US $40,000 to a security researcher who achieved remote code execution on its servers by exploiting a widely-publicised vulnerability.
White-hat hacker Andrey Leonov said he came across the issue one Saturday night in October 2016. He was testing a service, when a “Share on Facebook” request popped up. The request used a “picture” parameter as its URL.
But there was no image URL on the page content. That’s because the image fetched by the parameter got converted before a user could view it.
Leonov wanted to see what was causing this behavior. He tried to find server-side forgery request (SSFR) and XML external entity (XXE) flaws, but to no avail. That’s when he thought of one last thing he could try.
You remember this?
It’s the logo for ImageTragick, a series of vulnerabilities which researchers found in the ImageMagick image processing software last year.
ImageMagick is a free, open source software library that has been used by websites and other programs for decades to manipulate images. For instance, if you upload a picture to a website there is a good chance that it might be ImageMagick’s code which is processing it to resize or crop the image before it gets published on the site.
One of the ImageTragick flaws (CVE-2016-3714), discovered back in May 2016, allowed an attacker to conceal arbitrary code in an image file. That code would then execute once it had been uploaded to a website.
One of the most common defenses deployed against the ImageTragick vulnerabilities were Web Application Firewall (WAF) rules. Thinking this might be the case, Leonov wrote a payload that skirted around certain requests.
Abracadabra, he found that while the picture parameter was correct and not vulnerable, Facebook’s image converter had been using a vulnerable version of the ImageMagick library.
Leonov explains what happened next:
“For full proof that exploit works I provided Facebook security team with result of cat /proc/version output which [I’m] not going to publish here.… Already after initial report we discussed with Neal from Facebook security team that
cat /proc/version | base64could be more useful and some deeper research showed that base32 is more commonly used for various techniques including DNS tunneling.… I am glad to be the one of those who broke the Facebook.”
The security researcher reported the vulnerability to Facebook on 16 October 2016. Three days later, the social media giant had fixed the issue. A US $40,000 reward followed about a week later.
Well done to Facebook for patching its software promptly against exploitation, and well done to Leonov for his research and reward.
That’s responsible disclosure through a bug bounty program at its best! (Let’s hope some parties read this story carefully.)