Skip to main content

Facebook Web Security Bug Bounty: Directory Traversal Vulnerability / RCE In Parse.com

By


http://parse.com  directory traversal vulnerability







Little Insight:





http://parse.com  was vulnerable to a directory traversal / RCE vulnerability. As a result, it was possible for an attacker to load web server-readable files from the local filesystem. or Run commend on That


Well this is my 4th reward form facebook  Directory Traversal or RCE Vulnerability 


That  give me 5th position in Facebook white-hat Page


Report Date :23  July 2014


Reward For Directory Traversal or RCE Vulnerability :  20000$




How This work......?



As we discussed earlier on my old post Flowdock Directory Traversal Vulnerability exposed files outside of Rails’ view paths. '%5C' turns into '\' after decoding. Using Rack::Protection   it only rejects '/../' segments in the request path.  


patch apply for Rack::Protection acording CVE-2014-0130  and  also Reject now '%5C' turns into '\' after decoding


now my work ....






My Finding....







In the above summary ( CVE-2014-0130 )  it  rejects '/../' segments in the request path and path is also sanitized to filter out malicious characters like "..%5c", 


now m try to bypass filter  with " \../ or \..%2f "  segments in the request path  more details i am disclose in next post ruby on rails  Rack::Protection bypass effected on old version


patch version you can use 4.1.1, 4.0.5, 3.2.18




Now coming back to Parse.com  Facebook Acquisitions 

here is the proof of concept that I included with bug LFI/RCE. It displayed the contents of the /etc/passwd Or /Gemfile of the http://parse.com server 


More Then 5 pages Vulnerable on parse.com with same vector 


one of them


Poc Url :   https://parse.com/about/\..%2f\..%2f\..%2fGemfile














 After some time


i am  found  how to convert ruby on rails LfI in remote code execution or Shell


Thanks to Jeff Jarmoc for great Article on remote code execution or Shell That make  possible  to make Rce on parse.com


POC URL :    https://parse.com/about/\..%2f\..%2f\..%2fproduction .log?codetoexec=?








More about :




The vulnerability mentioned here has been confirmed & fixed by Facebook Team.

I’would like to thank Jeff Jarmoc for such a great article and Neal for handling this issue and  the vulnerability was patched and the fix was deployed in production within 2 hour  after my initial report.




Well this is my 4th reward form facebook  Directory Traversal or RCE Vulnerability 


That give me 5th position in Facebook white-hat












you can also meet me   


FACEBOOK


TWITTER

 

 


Labels

Labels:

Comments

Post a Comment

Popular posts from this blog

HC WeB : A Browser for HACKERS...

By
A Browser for HACKERS... Try for Free... Download HC WeB Setup Gallery: Online Penetration Testing Tools Index Information Gathering Whois DNS Location Info Enumeration and Fingerprint Data Mining Search Engines Editors Online Text Editors Share Text Snippets Network Utilities Ping HTTP HTTPS VNC Remote Desktop SSH DNS Sniffers Misc Forensics Frameworks URL Cloaking E-mail Password Cracking Encoders and Decoders Encoders Decoders Malwares Malware Analysis Identify Malicious Websites Suspected Malicious IPs and URLs Application Auditing SQL Injection Cross Site Scripting File Inclusion Anonymity Proxy Others Hackery Open Penetration Testing Bookmarks Collection Hacker Media Blogs, Forums, Magazines and Videos. Methodologies Penetration testing frameworks, standards and methodologies. OSINT Presentations, People, Organizations and Infrastructure.  Exploits an...
Post a Comment
Read more

OpenBSD Project survived after $20,000 Donation from Romanian Bitcoin Billionaire

By
Last year in the month of December the Security-focused Unix-like distribution ' OpenBSD ' Foundation announced that it was facing shut down due to lack of funds to pay their electricity bills and dedicated Internet line costs.      Theo de  Raadt , the founder of the OpenBSD project, and Bob Beck (Developer)  announced : " In light of shrinking funding, we do need to look for a source to cover project expenses. If need be the OpenBSD Foundation can be involved in receiving donations to cover project electrical costs. But the fact is right now, OpenBSD will shut down if we do not have the funding to keep the lights on. " Just after a month, a Bitcoin billionaire from Romania has stepped in and sorted OpenBSD out! Mircea Popescu , the creator of the  MPEx  Bitcoin  stock exchange  has offered $20,000 donations to the OpenBSD Foundation and saved the existence of OpenBSD development from being stopped. Like each o...
Post a Comment
Read more

Microsoft remotely deleted Tor-based 'Sefnit Botnet' from more than 2 Million Systems

By
In October 2013,  Microsoft  adopted a silent, offensive method to tackle infection due to a Tor-based botnet malware called ' Sefnit '. In an effort to  takedown of the  Sefnit botnet  to protect windows users, Microsoft r emotely removes the older versions of installed Tor Browser software and infection from 2 Million systems, even without the knowledge of the system's owner. Last year in August, after Snowden revelations about the National Security Agency's ( NSA ) Spying programs, the Internet users were under fear of being spied. During the same time Tor Project leaders noticed almost 600% increase in the number of users over the anonymizing networks of Tor i.e. More than 600,000 users join Tor within few weeks. In September, researchers identified the major reason of increased Tor users i.e. A Tor-based botnet called ' Sefnit malware ', which was infecting millions of computers for click fraud and  bitcoin ...
Post a Comment
Read more