29 March 2013

Category: Hacks
29 March 2013,
 9

Hi,

I wanted to share some of my findings in regard to the Password Reset logic flaw in the Facebook Secure Files Transfer for Employees. Occasionally, when a new security measure is added (like a Secured File Transfer by Acellion), you could end up exposing your organization to a number of risks.

Firstly, if you take a look at https://files.fb.com, you’ll see that the service is powered by Accellion (http://www.accellion.com/solutions/secure-file-transfer).

In order to test for the Password Reset logic flaw, it would seem that an account would be necessary, right? In reality, it appears as if Facebook wanted to rid themselves of the account creation process in Accellion because they removed the register form from the front page. I figured out that, if you know the direct location of the form (/courier/web/1000@/wmReg.html), you can quite easily bypass that protection to create your own account in files.fb.com.

createaccount

But, this vulnerability has now been fixed.

 

create account fixed

If we get a new account on files.fb.com, our next step is going to be downloading the 45-day trial of Accellion Secure file Sharing Service (http://www.accellion.com/trial-demo).

There are two kinds of the Accellion software:

1. Free 45 Day Cloud Hosted Trial (5 users)

2. Free 45 Day Virtual Trial (5 users)

 

So, I opted for the VM (virtual) trial, just so I could get all the files and the source code for this Accellion application.

Unfortunately, the VM trial package has a protection that prohibits you from accessing the files. You can bypass this by mounting the virtual drive in a second linux machine. After I did this, all the file names and folders were accessible for the Accellion Secure File Transfer software.

Accellion encrypts their source file content (php) with the use of ionCube PHP Encoder (http://www.ioncube.com/sa_encoder.php).

ioncube

Some older versions of the ionCube encryption software can be decrypted. Of course, I was thwarted yet again. This particular version of ionCube could not be decrypted which was more than disappointing. If I could attain the source, I could also attain the core. Having that could help me understand more aspects like Command Execution, Local File Inclusion, and so on.

EncryptSourceCodepassowrdupdateform

In any event, I decided to move on from this setback. I came upon an interesting file named wmPassupdate.html. This is the file used for Password Recovery in Accellion Secure Files Transfer.

In the cookie, there is another parameter that I had to take into account while trying to recover the password in wmPassupdate.html. This particular parameter was called “referrer” and it inexplicably used Base64 encoding. I had not been aware that Base64 encoding was still around, but I guess it definitely is.

So, I decoded the Base64 value, and made it so that the decoded data seemed to be my specified email address ([email protected]). This was cool. I started getting rid of all the “junk” cookies and unnecessary parameters. In fact, I only kept the “referrer” parameter around.

I encoded the value back to Base64 for a different email and then I copied that into the “referrer” cookie parameter. Then I began changing the email address parameter in my POST request to the victim’s email account. From there, I changed pass1 and pass2 to my chosen password.

gameover-black

 

PoC Image:

 

 passwordreset via referer base64, email (1)

 

 

PoC Video:

 

Facebook, Accellion Fixed this issues, I also reported 20+ different bugs in Accellion Secure File Transfer Service, They fixed all of them :)   Soon i will publish OAuth bypass in Facebook.com, Cya Next time!,

By @Nirgoldshlager

9 responses on “How I Hacked Facebook Employees Secure Files Transfer service (http://files.fb.com)

  1. Roy says:

    I’m impressed at how straight forward you make this topic look via your articles, though I must say I still don’t quite understand it.
    It seems too elaborate and extremely broad for me personally.
    I am eager for your following publishings, I will try
    to get the gist of it.

  2. Your mode of telling everything in this post is actually good, all be capable of simply be aware of it,
    Thanks a lot.

  3. girlsbcnnet says:

    I was recommended this blog by my cousin. I’m not sure whether this post is written by him as no one else know such detailed about my problem. You’re wonderful!
    Thanks!

  4. First of all I want to say excellent blog! I had a quick question that
    I’d like to ask if you don’t mind. I was interested to find out how you center yourself and clear your head prior
    to writing. I’ve had trouble clearing my thoughts in getting my thoughts out. I do take pleasure in writing but it just seems like the first 10 to 15 minutes are generally lost just trying to figure out how to begin. Any suggestions or hints? Cheers!

  5. Thanks , I have just been searching for information approximately this topic for a while and yours is the best I’ve found out till now. But, what about the conclusion? Are you positive in regards to the source?

  6. Admiring the hard work you put into your blog
    and in depth information you offer. It’s awesome to come across a blog every once in a while that isn’t the same outdated rehashed material.
    Excellent read! I’ve bookmarked your site and I’m including your RSS feeds to my Google account.

  7. acne cyst says:

    acne cyst…

    I was just searching for this information for a whilst. Following six hours of continuous Googleing, at last I got it in your website. I wonder what’s the lack of Google strategy that don’t rank this kind of informative web sites in leading of the li…

  8. I have read several just right stuff here. Definitely worth bookmarking for revisiting. I surprise how so much attempt you put to create this type of fantastic informative website.|

    авиабилеты мурманск архангельск
    авиабилеты лаппеенранта амстердам

  9. I think this is among the most vital info for me. And i’m glad reading your article. But should remark on some general things, The website style is ideal, the articles is really excellent : D. Good job, cheers

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>