News Remote Code Execution Vulerability Patched by Facebook - Printable Version +- Red Security (https://redsecurity.info/cc) +-- Forum: General (https://redsecurity.info/cc/forumdisplay.php?fid=1) +--- Forum: News (https://redsecurity.info/cc/forumdisplay.php?fid=4) +--- Thread: News Remote Code Execution Vulerability Patched by Facebook (/showthread.php?tid=725)

Remote Code Execution Vulerability Patched by Facebook - Mad-Architect - 08-29-2018     A serious vulnerability that was disclosed earlier this summer, has finally been patched. This critical flaw had the potential for remote code execution. A one Daniel Blaklis Le Gall, a security researcher from SCRT Information Security has been awarded a large sum for discovering the bug. The bug itself was discovered on a server belonging to Facebook.     The bug was discovered after Daniel began scanning Facebook's IP ranges, and saw a sentry service written in Python and Django. The service also seemed vulnerable.     “The application appeared to be unstable regarding the user password reset feature” the researcher said. “Django debug mode was not turned off, which consequently prints the whole environment when a stack trace occurs. However, Django snips critical data (passwords, secrets, key…)"           Digging deeper, he soon discovered a binary protocol used to unserialize Python Object Structures, also the secret key was not available in the Stack trace. The key was also obtained by Daniel using the Sentry list.     The key utilized for session singing, and if compromised it can be used to hijack a user's session. Daniel created a script which was used to forge malicious cookies with arbitrary Pickle content which also included a payload to override Sentry cookies. The researcher reported his find on July 30th, and since then Facebook has patched the bug, and restarted the server. ---- Sh7nk-Z0id