Discord Server Twitter Donation Youtube
Thread Rating:
  • 2 Vote(s) - 1.5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
News Remote Code Execution Vulerability Patched by Facebook
[Image: facebook-logo-hacked-729x445.jpg]

    A serious vulnerability that was disclosed earlier this summer, has finally been patched. This critical flaw had the potential for remote code execution.
A one Daniel Blaklis Le Gall, a security researcher from SCRT Information Security has been awarded a large sum for discovering the bug. The bug itself was
discovered on a server belonging to Facebook.

    The bug was discovered after Daniel began scanning Facebook's IP ranges, and saw a sentry service written in Python and Django.
The service also seemed vulnerable.

    “The application appeared to be unstable regarding the user password reset feature” the researcher said. “Django debug mode was not turned off, which consequently prints the whole environment when a stack trace occurs. However, Django snips critical data (passwords, secrets, key…)"


      Digging deeper, he soon discovered a binary protocol used to unserialize Python Object Structures, also the secret key was not available
in the Stack trace. The key was also obtained by Daniel using the Sentry list.

    The key utilized for session singing, and if compromised it can be used to hijack a user's session. Daniel created a script
which was used to forge malicious cookies with arbitrary Pickle content which also included a payload to override Sentry cookies.
The researcher reported his find on July 30th, and since then Facebook has patched the bug, and restarted the server.

---- Sh7nk-Z0id

01001001 00100000 01000001 01001101 00100000 01011010 01001111 01000100 01001001 01000001 01000011

Users browsing this thread: 1 Guest(s)