Facebook Attach EXE Vulnerability
1. Summary:
When using the Facebook 'Messages' tab, there is a feature to attach a file. Using this feature normally, the site won't allow a user to attach an executable file. A bug was discovered to subvert this security mechanisms. Note, you do NOT have to be friends with the user to send them a message with an attachment.
---------------------------------------------------------------------------------------------------------------------------
2. Description:
When attaching an executable file, Facebook will return an error message stating:
"Error Uploading: You cannot attach files of that type."
When uploading a file attachment to Facebook we captured the web browsers POST request being sent to the web server. Inside this POST request reads the line:
Content-Disposition: form-data; name="attachment"; filename="cmd.exe"
This was enough to trick the parser and allow our executable file to be attached and sent in a message.
-------------------------------------------------------------------------------------------------------------------------
3. Impact:
Potentially allow an attacker to compromise a victim’s computer system.
-----------------------------------------------------------------------------------------------------------------------
4. Affected Products:
www.facebook.com
-----------------------------------------------------------------------------------------------------------------------
5. Time Table:
09/30/2011 Reported Vulnerability to the Vendor
10/26/2011 Vendor Acknowledged Vulnerability
10/27/2011 Publicly Disclosed
-----------------------------------------------------------------------------------------------------------------------
6. Credits:
Discovered by Nathan Power
  www.securitypentest.com



 
No comments:
Post a Comment