I wanted to share some of my findings in regard to the Password Reset logic flaw in the Facebook Secure Files Transfer for Employees. Occasionally, when a new security measure is added (like a Secured File Transfer by Acellion), you could end up exposing your organization to a number of risks.
Firstly, if you take a look at https://files.fb.com, you’ll see that the service is powered by Accellion (http://www.accellion.com/solutions/secure-file-transfer).
In order to test for the Password Reset logic flaw, it would seem that an account would be necessary, right? In reality, it appears as if Facebook wanted to rid themselves of the account creation process in Accellion because they removed the register form from the front page. I figured out that, if you know the direct location of the form (/courier/web/1000@/wmReg.html), you can quite easily bypass that protection to create your own account in files.fb.com.
But, this vulnerability has now been fixed.
If we get a new account on files.fb.com, our next step is going to be downloading the 45-day trial of Accellion Secure file Sharing Service (http://www.accellion.com/trial-demo).
There are two kinds of the Accellion software:
1. Free 45 Day Cloud Hosted Trial (5 users)
2. Free 45 Day Virtual Trial (5 users)
So, I opted for the VM (virtual) trial, just so I could get all the files and the source code for this Accellion application.
Unfortunately, the VM trial package has a protection that prohibits you from accessing the files. You can bypass this by mounting the virtual drive in a second linux machine. After I did this, all the file names and folders were accessible for the Accellion Secure File Transfer software.
Accellion encrypts their source file content (php) with the use of ionCube PHP Encoder (http://www.ioncube.com/sa_encoder.php).
Some older versions of the ionCube encryption software can be decrypted. Of course, I was thwarted yet again. This particular version of ionCube could not be decrypted which was more than disappointing. If I could attain the source, I could also attain the core. Having that could help me understand more aspects like Command Execution, Local File Inclusion, and so on.
In any event, I decided to move on from this setback. I came upon an interesting file named wmPassupdate.html. This is the file used for Password Recovery in Accellion Secure Files Transfer.
In the cookie, there is another parameter that I had to take into account while trying to recover the password in wmPassupdate.html. This particular parameter was called “referrer” and it inexplicably used Base64 encoding. I had not been aware that Base64 encoding was still around, but I guess it definitely is.
So, I decoded the Base64 value, and made it so that the decoded data seemed to be my specified email address (firstname.lastname@example.org). This was cool. I started getting rid of all the “junk” cookies and unnecessary parameters. In fact, I only kept the “referrer” parameter around.
I encoded the value back to Base64 for a different email and then I copied that into the “referrer” cookie parameter. Then I began changing the email address parameter in my POST request to the victim’s email account. From there, I changed pass1 and pass2 to my chosen password.
Facebook, Accellion Fixed this issues, I also reported 20+ different bugs in Accellion Secure File Transfer Service, They fixed all of them 🙂 Soon i will publish OAuth bypass in Facebook.com, Cya Next time!,