Skip to main content

Facebook Web Security Bug Bounty: Directory Traversal Vulnerability / RCE In Parse.com

By


http://parse.com  directory traversal vulnerability







Little Insight:





http://parse.com  was vulnerable to a directory traversal / RCE vulnerability. As a result, it was possible for an attacker to load web server-readable files from the local filesystem. or Run commend on That


Well this is my 4th reward form facebook  Directory Traversal or RCE Vulnerability 


That  give me 5th position in Facebook white-hat Page


Report Date :23  July 2014


Reward For Directory Traversal or RCE Vulnerability :  20000$




How This work......?



As we discussed earlier on my old post Flowdock Directory Traversal Vulnerability exposed files outside of Rails’ view paths. '%5C' turns into '\' after decoding. Using Rack::Protection   it only rejects '/../' segments in the request path.  


patch apply for Rack::Protection acording CVE-2014-0130  and  also Reject now '%5C' turns into '\' after decoding


now my work ....






My Finding....







In the above summary ( CVE-2014-0130 )  it  rejects '/../' segments in the request path and path is also sanitized to filter out malicious characters like "..%5c", 


now m try to bypass filter  with " \../ or \..%2f "  segments in the request path  more details i am disclose in next post ruby on rails  Rack::Protection bypass effected on old version


patch version you can use 4.1.1, 4.0.5, 3.2.18




Now coming back to Parse.com  Facebook Acquisitions 

here is the proof of concept that I included with bug LFI/RCE. It displayed the contents of the /etc/passwd Or /Gemfile of the http://parse.com server 


More Then 5 pages Vulnerable on parse.com with same vector 


one of them


Poc Url :   https://parse.com/about/\..%2f\..%2f\..%2fGemfile














 After some time


i am  found  how to convert ruby on rails LfI in remote code execution or Shell


Thanks to Jeff Jarmoc for great Article on remote code execution or Shell That make  possible  to make Rce on parse.com


POC URL :    https://parse.com/about/\..%2f\..%2f\..%2fproduction .log?codetoexec=?








More about :




The vulnerability mentioned here has been confirmed & fixed by Facebook Team.

I’would like to thank Jeff Jarmoc for such a great article and Neal for handling this issue and  the vulnerability was patched and the fix was deployed in production within 2 hour  after my initial report.




Well this is my 4th reward form facebook  Directory Traversal or RCE Vulnerability 


That give me 5th position in Facebook white-hat












you can also meet me   


FACEBOOK


TWITTER

 

 


Labels:

Comments

Post a Comment

Popular posts from this blog

Click-jacking or UI Redressing

By
Hi! Just want to share my finding, I have found Click-jacking or UI Redressing Vulnerability in   on Google Map , enjoy ;-) This bug was reported to Google Security Team, fixed immediately. About Title:  ClickJacking or UI Redressing on Google Map Business Risk: Normal Discovery Date: October 8, 2013 Author: Jitendra Jaiswal (me) Poc Details   Impact On victim :  1. attacker change victim profile pic by useing his webcam and upload 2. update status acording to attacker Best, Jeet Jaiswal
1 comment
Read more

Evil App Steal Facebook Access Token

By
Evil App Steal Facebook Access Token  Facebook say about this users Responsible for this its not an issue for facebook so After 3 month i am disclose this may be now they make some change but its still work .......  so users not allow any app to access your data on facebook or dont login anywhere using Facebook may be this an Attacker and After steal your Facebook Access Token he Can Hack your facebook Account  Easily....  [#] Title           :   Evil App Steal Facebook Access Token  [#] Status        :  Unfixed [#] Severity     :  very High [#] Works on  :  Any browser with any version [#] Homepage  :  www.facebook.com [#] Author       :  Jitendra Jaiswal [#] Email          :   jeetjaiswal0@gmail.com This Vulnerability is exploitable to all users who are use facebook apps and allow access of apps an attacker can modify all app setting in url Impact of Vulnerability: An attackers can store  user access token with 2 month no Expires also token not expire if user
Post a Comment
Read more

Edward Snowden nominated for Nobel Peace Prize 2014

By
Now there is really great news for all the supporters of Former National Security Agency ( NSA ) contractor Edward Snowden , as he is nominated for the 2014 Nobel Peace Prize by two Norwegian lawmakers. Snorre Valen and Baard Vegar Solhjell , parliamentarians from Norway’s Socialist Left Party said, “ He has contributed to revealing the extreme level of surveillance by nations against other nations and of citizens ,”     Edward Snowden revealed various widely extended NSA spying projects and responsible for handing over the material from one of the world's most secretive organizations the NSA. He faces charges of theft and espionage and is in Russia on temporary asylum. “ Snowden contributed to people knowing about what has happened and spurring public debate ” on trust in government, which he said was “ a fundamental requirement for peace ”. Snorre Valen also added that, “ There’s no doubt that the actions of Edward Snowden may have damaged the securi
Post a Comment
Read more