Document Title: =============== Facebook (Law Enforcement) - Persistent Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1767 Release Date: ============= 2016-09-30 Vulnerability Laboratory ID (VL-ID): ==================================== 1767 Common Vulnerability Scoring System: ==================================== 3.8 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 1.000€ - 2.000€ Product & Service Introduction: =============================== Facebook is a corporation and online social networking service headquartered in Menlo Park, California, in the United States. Its website was launched on February 4, 2004, by Mark Zuckerberg with his Harvard College roommates and fellow students Eduardo Saverin, Andrew McCollum, Dustin Moskovitz and Chris Hughes. The founders had initially limited the websites membership to Harvard students, but later expanded it to colleges in the Boston area, the Ivy League, and Stanford University. It gradually added support for students at various other universities and later to high-school students. Since 2006, anyone who is at least 13 years old was allowed to become a registered user of the website, though the age requirement may be higher depending on applicable local laws. Its name comes from the face book directories often given to American university students. (Copy of the Homepage: https://en.wikipedia.org/wiki/Facebook ) These operational guidelines are for law enforcement officials seeking records from Facebook. For private party requests, including requests from civil litigants and criminal defendants, visit: facebook.com/help/?page=1057. Users seeking information on their own accounts can access Facebook’s “Download Your Information” feature from their account settings. See facebook.com/help/?page=18830. This information may change at any time. (Copy of the Homepage: https://www.facebook.com/safety/groups/law/guidelines/ ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Core Research Team discovered an application-side mail encoding web vulnerability in the official Facebook Law Enforcement online service web-application. Vulnerability Disclosure Timeline: ================================== 2016-10-01: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Remote Severity Level: =============== Low Authentication Type: ==================== Open Authentication (Anonymous Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ An application-side mail encoding web vulnerability has been discovered in the official Facebook Law Enforcement online service web-application. The vulnerability allows remote attacker to inject own malicious script codes on the application-side of the vulnerable service or module context. The vulnerability is located in the `filename` value of the picture/file upload in the `Records Request` module. The validatio procedure of the POST method request in the `records/x/case/` function allows to inject malicious script codes. After the inject the law enforcement operator of the fbi querys the document in the mime attachment (header) after an issue is submit and resend the context to the sender email. Thus context is not secure parsed or encoded in the emails context. Thus allows an attacker to inject malicious persistent script codes to the outgoing emails of `records.facebook.com`. Normally the email context with the filename value needs to be encoded in case of the law enforcement reply that is send as copy via email. The encoding is broken and allows an execution of malicious injected script codes in the `mimeAttachmentHeaderName`. Only the filename values are displayed under the email context as copy of the stored database management system input. Not only the encoding of the reply email is broken on the encode, it looks also that the already arriving email impact an executable vector that needs to be approved internally to patch the issue finally. The security risk of the application-side input web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.8. Exploitation of the persistent web vulnerability requires a low privileged facebook law enforcement account with restricted access and low or medium user interaction. Successful exploitation of the vulnerability results in persistent phishing mails, session hijacking, persistent external redirect to malicious sources and application-side manipulation of affected or connected module context. Request Method(s): [+] POST Vulnerable Input(s) [+] Documentation (File Upload) Vulnerable Parameter(s): [+] filename as (mimeAttachmentHeaderName) Affected Module(s): [+] records.facebook.com - Email Notify & Copy Proof of Concept (PoC): ======================= The vulnerability can be exploited by remote attackers with low privileged web-application user account and low or medium user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Register with the law enforcement web-application 2. Attach a http session tamper like tamper data, http headers or burp suite 3. Open the x/case module (https://www.facebook.com/records/x/case/) 4. Include random existing values and load a picture inside the upload path 5. Start the session tamper for the http protocol and click the submit button to save the entry for a request validation 6. Inject to the filename value of the add form POST method request your own script code payload 7. Continue the request and wait for the 200OK reply of the web-server 8. After the message "Successful Submit" you can close the account 9. Open the mailbox and wait for the reply arrival with html code inside the mimeAttachmentHeaderName 10. The mail arrived and the payload executes in the mimeAttachmentHeaderName section of the email with the copy attachment 11. Successful reproduce of the application-side mail encoding web vulnerability in the law enforcement web-application of facebook! PoC: Payloads