Document Title:
===============
Facebook (Law Enforcement) - Persistent Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1767
Release Date:
=============
2016-09-30
Vulnerability Laboratory ID (VL-ID):
====================================
1767
Common Vulnerability Scoring System:
====================================
3.8
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
Facebook is a corporation and online social networking service headquartered in Menlo Park, California, in the United States. Its website was launched on
February 4, 2004, by Mark Zuckerberg with his Harvard College roommates and fellow students Eduardo Saverin, Andrew McCollum, Dustin Moskovitz and Chris
Hughes. The founders had initially limited the websites membership to Harvard students, but later expanded it to colleges in the Boston area, the Ivy
League, and Stanford University. It gradually added support for students at various other universities and later to high-school students. Since 2006,
anyone who is at least 13 years old was allowed to become a registered user of the website, though the age requirement may be higher depending on
applicable local laws. Its name comes from the face book directories often given to American university students.
(Copy of the Homepage: https://en.wikipedia.org/wiki/Facebook )
These operational guidelines are for law enforcement officials seeking records from Facebook. For private party requests, including requests from civil
litigants and criminal defendants, visit: facebook.com/help/?page=1057. Users seeking information on their own accounts can access Facebook’s “Download
Your Information” feature from their account settings. See facebook.com/help/?page=18830. This information may change at any time.
(Copy of the Homepage: https://www.facebook.com/safety/groups/law/guidelines/ )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered an application-side mail encoding web vulnerability in the official Facebook Law Enforcement online service web-application.
Vulnerability Disclosure Timeline:
==================================
2016-10-01: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Low
Authentication Type:
====================
Open Authentication (Anonymous Privileges)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
An application-side mail encoding web vulnerability has been discovered in the official Facebook Law Enforcement online service web-application.
The vulnerability allows remote attacker to inject own malicious script codes on the application-side of the vulnerable service or module context.
The vulnerability is located in the `filename` value of the picture/file upload in the `Records Request` module. The validatio procedure of the POST
method request in the `records/x/case/` function allows to inject malicious script codes. After the inject the law enforcement operator of the fbi querys
the document in the mime attachment (header) after an issue is submit and resend the context to the sender email. Thus context is not secure parsed or
encoded in the emails context. Thus allows an attacker to inject malicious persistent script codes to the outgoing emails of `records.facebook.com`.
Normally the email context with the filename value needs to be encoded in case of the law enforcement reply that is send as copy via email. The encoding
is broken and allows an execution of malicious injected script codes in the `mimeAttachmentHeaderName`. Only the filename values are displayed under the
email context as copy of the stored database management system input. Not only the encoding of the reply email is broken on the encode, it looks also that
the already arriving email impact an executable vector that needs to be approved internally to patch the issue finally.
The security risk of the application-side input web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.8.
Exploitation of the persistent web vulnerability requires a low privileged facebook law enforcement account with restricted access and low or medium user interaction.
Successful exploitation of the vulnerability results in persistent phishing mails, session hijacking, persistent external redirect to malicious sources and
application-side manipulation of affected or connected module context.
Request Method(s):
[+] POST
Vulnerable Input(s)
[+] Documentation (File Upload)
Vulnerable Parameter(s):
[+] filename as (mimeAttachmentHeaderName)
Affected Module(s):
[+] records.facebook.com - Email Notify & Copy
Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers with low privileged web-application user account and low or medium user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Register with the law enforcement web-application
2. Attach a http session tamper like tamper data, http headers or burp suite
3. Open the x/case module (https://www.facebook.com/records/x/case/)
4. Include random existing values and load a picture inside the upload path
5. Start the session tamper for the http protocol and click the submit button to save the entry for a request validation
6. Inject to the filename value of the add form POST method request your own script code payload
7. Continue the request and wait for the 200OK reply of the web-server
8. After the message "Successful Submit" you can close the account
9. Open the mailbox and wait for the reply arrival with html code inside the mimeAttachmentHeaderName
10. The mail arrived and the payload executes in the mimeAttachmentHeaderName section of the email with the copy attachment
11. Successful reproduce of the application-side mail encoding web vulnerability in the law enforcement web-application of facebook!
PoC: Payloads
