Monday, 20 October 2014

Facebook Web Security Bug Bounty: Directory Traversal Vulnerability / RCE In Parse.com

http://parse.com  directory traversal vulnerability




Little Insight:



http://parse.com  was vulnerable to a directory traversal / RCE vulnerability. As a result, it was possible for an attacker to load web server-readable files from the local filesystem. or Run commend on That

Well this is my 4th reward form facebook  Directory Traversal or RCE Vulnerability 

That  give me 5th position in Facebook white-hat Page

Report Date :23  July 2014

Reward For Directory Traversal or RCE Vulnerability :  20000$


How This work......?


As we discussed earlier on my old post Flowdock Directory Traversal Vulnerability exposed files outside of Rails’ view paths. '%5C' turns into '\' after decoding. Using Rack::Protection   it only rejects '/../' segments in the request path.  

patch apply for Rack::Protection acording CVE-2014-0130  and  also Reject now '%5C' turns into '\' after decoding

now my work ....



My Finding....




In the above summary ( CVE-2014-0130 )  it  rejects '/../' segments in the request path and path is also sanitized to filter out malicious characters like "..%5c", 

now m try to bypass filter  with " \../ or \..%2f "  segments in the request path  more details i am disclose in next post ruby on rails  Rack::Protection bypass effected on old version

patch version you can use 4.1.1, 4.0.5, 3.2.18


Now coming back to Parse.com  Facebook Acquisitions 



here is the proof of concept that I included with bug LFI/RCE. It displayed the contents of the /etc/passwd Or /Gemfile of the http://parse.com server 

More Then 5 pages Vulnerable on parse.com with same vector 

one of them

Poc Url :   https://parse.com/about/\..%2f\..%2f\..%2fGemfile







 After some time

i am  found  how to convert ruby on rails LfI in remote code execution or Shell

Thanks to Jeff Jarmoc for great Article on remote code execution or Shell That make  possible  to make Rce on parse.com

POC URL :    https://parse.com/about/\..%2f\..%2f\..%2fproduction .log?codetoexec=?




More about :



The vulnerability mentioned here has been confirmed & fixed by Facebook Team.

I’would like to thank Jeff Jarmoc for such a great article and Neal for handling this issue and  the vulnerability was patched and the fix was deployed in production within 2 hour  after my initial report.


Well this is my 4th reward form facebook  Directory Traversal or RCE Vulnerability 

That give me 5th position in Facebook white-hat






you can also meet me   

FACEBOOK

TWITTER

 

 


1 comment: