Monday, January 7, 2013

How I Hacked Facebook Employees Secure Files Transfer service (http://files.fb.com )


Hi,

I want to share my finding regarding Password Reset logic flaw in Facebook Secure Files Transfer for Employees.

Sometimes when you add a new security measure (Such as Secured File Transfer by Acellion),  You may unintentionally expose your organization to these kind of risks

First of all,

If you look at https://files.fb.com, You can understand that this service belongs to Accellion (http://www.accellion.com/solutions/secure-file-transfer),

Now to test a Password Reset logic flaw, We need an account to test for Reset Password Right?,

It seems that Facebook was trying to avoid the creation of accounts in Accellion after removing the register form from the pageview,

I discovered that if you know the direct location of the form (/courier/web/1000@/wmReg.html), You can easily bypass that protection and create an account in files.fb.com,




Now this vulnerability has been fixed and you can't open a new account in files.fb.com, Fixed:




OK, So now we got a new account in files.fb.com Right?, Cool!,
The next step was to download the 45 days trial of Accellion Secure File Sharing Service (http://www.accellion.com/trial-demo),


I realized that that there is two kinds of trial versions of Accellion,

1. Free 45 Day Cloud Hosted Trial (5 users)

2. Free 45 Day Virtual Trial (5 users)

So I chose the VM(virtual) trial, Just for getting all the files and source code of this Accellion application,

The "Bad News" was that the VM trial got a protection and you can't access to the files through the VM Version,

Anyway you can bypass it by mounting the virtual drive in second linux machine ,
This solution made it possible to get all the files names and folders in Accellion Secure File Transfer,

Accellion encrypt their source files content (php) by using ionnCube PHP Encoder (http://www.ioncube.com/sa_encoder.php).




In some older versions of Ioncube you can decrypt this "encrypted" files:



Bad news again!, This Version of ionCube was not vulnerable to a possible decryption , I was disappointed because If I had the source I had the core.

This could help me to find more cool issues such as: Command Execution, Local File Inclusion, etc..,

Anyway i dropped this subject and keep my research on,

I found this interesting file called wmPassupdate.html,

This file used for a Password Recovery in Accellion Secure Files Transfer,

I realized that there is another parameter in the Cookie when you are trying to recover your password in wmPassupdate.html,

This parameter call referer, I found that the value of this parameter use Base64 encoding, Wtf?, I didn't think Base64 (for encryption) was still alive these days, Yes, It appears so :),



So i decoded the base64 value, And so that the decoded data appeared to be my email address ("dbeckyxx@gmail.com"), Cool!, I started to delete all the "junk" cookies un-uneeded parameters and kept only the referer parameter,

I encoded back to Base64 a different email of my test account in files.fb.com, And then copied it into the referer cookie parameter,

Then i started to change the email address parameter in my POST request, to the victim email account and change the pass1,pass2, to my chosen password,


And



PoC Image:




PoC Video:
Facebook, Accellion Fixed this issues, I also reported 20+ different bugs in Accellion Secure File Transfer Service, They fixed all of them :) Soon i will publish OAuth bypass in Facebook.com, Cya Next time!,

16 comments:

Anonymous said...

Amazing. Awesome work.

B said...

Awesome finding

Unknown said...

Awesome guy :)

DynamicHavoc said...

It's Just Awesome Work Sir

You Are Next To Crawler ! :)

How You Discovered files.fb.com :)
Congrats !

Salman Baig said...

Superb work dude <3

Mark Thien said...

I love u man!

Unknown said...

Impressive work!

Zuk said...

Amazing work. Keep up the great work Goldi!
Zuk

dwoz said...

Great job and nice write up on the process. Props.

homakov said...

loving it. pls ping me about oauth - i love oauth sec

asdfsfsd said...

White type on black background is ultra cool because it makes things hard to read and if it was hard to hack then we want to keep all this sh*t sekret.

Anonymous said...

This is one of my favorite blog because whenever i visit this blog found something interested and different,you are doing very well job,keep it up.
It Security Applications

sarah lee said...

Good Job! Carry on ............
Feel free to visit security service

Unknown said...

Fantastic information it is.Your information is so nice and interesting.BCFBLThis article has many valuable side.Thanks you very much for shearing this information.

Unknown said...

knowingly or unknowingly you said many things to many body,facebook is not going to be secure anymore :D :D :D

Unknown said...

Really a good information.This helps me lot.Thanks for sharing corporate web development

Post a Comment