Facebook Code Execution Bug Worth $40,000
A security researcher, Andrey Leonov had discovered a critical bug on Facebook that leverage a Remote Code Execution vulnerability on Facebook server. This vulnerability was resides on the ImageMagick and Tragick bug that were first discovered on April 2016.
On the blog post Andrey says that he was testing another service (not Facebook) but some of the redirect drag him to Facebook i.e. 'Share on Facebook' dialog box.
When user post a link on facebook it fetch the url for image and shows the image contains on the page of the link. On checking deeper, he fount that a `picture` parameter is a url, but there isn’t image url on page content. [See image below]
This point grab his attention and started digging it. Initially he got no success and at last he tried to exploit ImageTragick vulnerability. On this also he failed to exploit but after some work on his exploit he managed to triggered the issue. He successfully triggered with the DNS record request by which he got valid response.
On this he came to know how application was working and he wrote -
On the blog post Andrey says that he was testing another service (not Facebook) but some of the redirect drag him to Facebook i.e. 'Share on Facebook' dialog box.
When user post a link on facebook it fetch the url for image and shows the image contains on the page of the link. On checking deeper, he fount that a `picture` parameter is a url, but there isn’t image url on page content. [See image below]
https://external.fhen1-1.fna.fbcdn.net/safe_image.php?d=AQDaeWq2Fn1Ujs4P&w=158&h=158&url=https%3A%2F%2Fwww.google.com%2Fimages%2Ferrors%2Frobot.png&cfs=1&upscale=1&_nc_hash=AQD2uvqIgAdXgWyb
On this he came to know how application was working and he wrote -
- Gets `picture` parameter and requests it - this request is correct and not vulnerable
- Received picture passes on converter's instance which used vulnerable ImageMagick library
Later on he successfully exploited the bug leveraging a Code Execution on Facebook server. For this finding Facebook awarded him $40,000 under company's Bug Bounty Program.