Monday, 20 October 2014

Facebook Web Security Bug Bounty: Directory Traversal Vulnerability / RCE In Parse.com

 , , , , , , , , , , ,      3 comments   
http://parse.com  directory traversal vulnerability




Little Insight:



http://parse.com  was vulnerable to a directory traversal / RCE vulnerability. As a result, it was possible for an attacker to load web server-readable files from the local filesystem. or Run commend on That

Well this is my 4th reward form facebook  Directory Traversal or RCE Vulnerability 

That  give me 5th position in Facebook white-hat Page

Report Date :23  July 2014

Reward For Directory Traversal or RCE Vulnerability :  20000$


How This work......?


As we discussed earlier on my old post Flowdock Directory Traversal Vulnerability exposed files outside of Rails’ view paths. '%5C' turns into '\' after decoding. Using Rack::Protection   it only rejects '/../' segments in the request path.  

patch apply for Rack::Protection acording CVE-2014-0130  and  also Reject now '%5C' turns into '\' after decoding

now my work ....



My Finding....




In the above summary ( CVE-2014-0130 )  it  rejects '/../' segments in the request path and path is also sanitized to filter out malicious characters like "..%5c", 

now m try to bypass filter  with " \../ or \..%2f "  segments in the request path  more details i am disclose in next post ruby on rails  Rack::Protection bypass effected on old version

patch version you can use 4.1.1, 4.0.5, 3.2.18


Now coming back to Parse.com  Facebook Acquisitions 

here is the proof of concept that I included with bug LFI/RCE. It displayed the contents of the /etc/passwd Or /Gemfile of the http://parse.com server 

More Then 5 pages Vulnerable on parse.com with same vector 

one of them

Poc Url :   https://parse.com/about/\..%2f\..%2f\..%2fGemfile







 After some time

i am  found  how to convert ruby on rails LfI in remote code execution or Shell

Thanks to Jeff Jarmoc for great Article on remote code execution or Shell That make  possible  to make Rce on parse.com

POC URL :    https://parse.com/about/\..%2f\..%2f\..%2fproduction .log?codetoexec=?




More about :



The vulnerability mentioned here has been confirmed & fixed by Facebook Team.

I’would like to thank Jeff Jarmoc for such a great article and Neal for handling this issue and  the vulnerability was patched and the fix was deployed in production within 2 hour  after my initial report.


Well this is my 4th reward form facebook  Directory Traversal or RCE Vulnerability 

That give me 5th position in Facebook white-hat






you can also meet me   

FACEBOOK

TWITTER

 

 


3 comments:

  1. sheela rajesh10 May 2019 at 21:24

    Thanks for your information and you have narrated a useful information in this article.
    JAVA Training in Chennai
    JAVA Course in Chennai
    Big data training in chennai
    Software testing training in chennai
    Selenium Training in Chennai
    Python Training in Chennai
    JAVA Training in Chennai
    Java Training in Anna Nagar

    ReplyDelete
  2. Unknown27 February 2021 at 22:11

    Great Article Cyber Security Projects projects for cse Networking Security Projects JavaScript Training in Chennai JavaScript Training in Chennai The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

    ReplyDelete
  3. Aishwariya3 May 2021 at 23:07

    Thanks for spending all your pleasant time to make such a Creative content for us. AWS Training in Chennai

    ReplyDelete