Discord Server Red Security Twitter Donation to Red Security Red Security Youtube Channel Red Security Tumblr Profile
Login or Register to Hide ads and Accessing all features on the forum
Thread Rating:
  • 3 Vote(s) - 2 Average
  • 1
  • 2
  • 3
  • 4
  • 5
News Remote Code Execution Vulerability Patched by Facebook
[Image: facebook-logo-hacked-729x445.jpg]

    A serious vulnerability that was disclosed earlier this summer, has finally been patched. This critical flaw had the potential for remote code execution.
A one Daniel Blaklis Le Gall, a security researcher from SCRT Information Security has been awarded a large sum for discovering the bug. The bug itself was
discovered on a server belonging to Facebook.

    The bug was discovered after Daniel began scanning Facebook's IP ranges, and saw a sentry service written in Python and Django.
The service also seemed vulnerable.

    “The application appeared to be unstable regarding the user password reset feature” the researcher said. “Django debug mode was not turned off, which consequently prints the whole environment when a stack trace occurs. However, Django snips critical data (passwords, secrets, key…)"


      Digging deeper, he soon discovered a binary protocol used to unserialize Python Object Structures, also the secret key was not available
in the Stack trace. The key was also obtained by Daniel using the Sentry list.

    The key utilized for session singing, and if compromised it can be used to hijack a user's session. Daniel created a script
which was used to forge malicious cookies with arbitrary Pickle content which also included a payload to override Sentry cookies.
The researcher reported his find on July 30th, and since then Facebook has patched the bug, and restarted the server.

---- Sh7nk-Z0id

01001001 00100000 01000001 01001101 00100000 01011010 01001111 01000100 01001001 01000001 01000011

Possibly Related Threads…
Thread Author Replies Views Last Post
Star News Microsoft Exchange Server DlpUtils AddTenantDlpPolicy Remote Code Execution - CXSecu News 0 76 09-18-2020, 08:12 AM
Last Post: News
Star News ManageEngine Applications Manager Authenticated Remote Code Execution - CXSecurity.c News 0 107 09-06-2020, 01:51 PM
Last Post: News
Star News Four More Bugs Patched in Microsoft’s Azure Sphere IoT Platform News 0 142 08-26-2020, 03:41 AM
Last Post: News
Thumbs Up News Citrix Bugs Allow Unauthenticated Code Injection, Data Theft Mr.Kurd 1 336 07-15-2020, 12:28 AM
Last Post: EthelCrife
Exclamation News Windows SMB Protocol Bug Let Hackers Leak Kernel Memory & Execute a Code Remotely Mr.Kurd 0 389 06-12-2020, 08:24 AM
Last Post: Mr.Kurd
Question News Critical Remote Code Execution Bug in Linux Based OpenWrt OS Affects Millions of Netw Mr.Kurd 0 377 03-25-2020, 08:11 AM
Last Post: Mr.Kurd
Star News Trend Micro Patched Zero-Day Vulnerabilities Under Active Exploit Mr.Kurd 0 316 03-23-2020, 07:54 AM
Last Post: Mr.Kurd
Question News New Android Cookie-Stealing Malware Found Hijacking Facebook Accounts Mr.Kurd 0 319 03-13-2020, 11:15 AM
Last Post: Mr.Kurd
Exclamation News NordVPN Patched a Flaw In Their Payments Platform That Exposed Users’ Details Mr.Kurd 0 395 03-09-2020, 05:34 PM
Last Post: Mr.Kurd
Exclamation News A vulnerability that Allows Hackers to Hijack Facebook Accounts Mr.Kurd 0 366 03-04-2020, 07:17 AM
Last Post: Mr.Kurd

Users browsing this thread: 1 Guest(s)