Hacker found a way to hack Facebook by exploiting the ImageMagick flaw

Pierluigi Paganini January 18, 2017

The bug hunter Andrew Leonov has described how to exploit an ImageMagick flaw to remotely execute code on a Facebook server.

The hacker Andrew Leonov (@4lemon) has described how to exploit the so-called ImageMagick vulnerability to remotely execute code on a Facebook server.

The ImageMagick flaw, tracked as CVE-2016-3714, affects the popular image manipulation software, ImageMagick. The flaw could be exploited by hackers to take over websites running the widely used image-enhancing app. The vulnerability in ImageMagick App allows attackers to run arbitrary code on the targeted web servers that rely on the app for resizing or cropping user-uploaded images.

The researcher has detailed in a post the attack and also provided a proof-of-concept exploit for the hack, Facebook has awarded him with the highest payoff since now, US$40,000.

“Once upon a time on Saturday in October i was testing some big service (not Facebook) when some redirect followed me on Facebook. It was a «Share on Facebook» dialog:” wrote Leonov.

Facebook ImageMagick

https://www.facebook.com/dialog/feed?app_id=APP_ID&link=link.example.tld&picture=http%3A%2F%2Fattacker.tld%2Fexploit.png&name=news_name&caption=news_caption&description=news_descriotion&redirect_uri=http%3A%2F%2Fwww.facebook.com&ext=1476569763&hash=Aebid3vZFdh4UF1H

“Which many of you could see. If we look closer we can see that a `picture` parameter is a url. But there isn’t image url on page content like mentioned above.” added Leonov. 

The expert has discovered the vulnerability after a service redirected him to the Facebook platform, initially he was he was convinced he had discovered a server-side request forgery vulnerability.

“First of all I thought about some kind of SSRF issue. But tests showed that url from this parameter requested from 31.13.97.* network by facebookexternalhit/1.1.”

After testing the application, the expert devised the following workflow:

  • Gets `picture` parameter and requests it – this request is correct and not vulnerable
  • Received picture passes on converter’s instance which used vulnerable ImageMagick library

The management of the flaw was perfect, the expert reported the issue to Facebook through the bug bounty program in October and the IT giant fixed it in less than three days.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – ImageMagick, Facebook)



you might also like

leave a comment