December 3, 2016

Facebook Fixes .EXE Upload Vulnerability

(LiveHacking.Com) – An executable file upload flaw found on Facebook, which allowed an attacker to upload and send an executable file to another Facebook user via the Facebook ‘Messages’ tab, has been fixed.

Nathan Power, a security penetration tester from Ohio, originallyposted details of the flaw a few days ago and initially Facebook seemed to play down the dangers of the flaw.

Facebook’s Security Manager Ryan McGeehan went on the record saying that “This finding will only allow one user to send an obfuscated renamed file to another Facebook user. The proof of concept, as is, would not execute on a recipients machine without an additional layer of social engineering.” He also underlined the contrived nature of the flaw saying “At the end of the day, it is more practical for a bad guy to hide an .exe on a convincing landing page behind a URL shortener, which is something we’ve been dealing with for a while.

It seemed from Ryan’s response that Facebook didn’t see this as a high priorirty and it might only get fixed at some time in the future. However yesterday Nathan updated his blog to report that the flaw has been fixed:

11/01/2011 Vulnerability Fixed

This means that Facebook did take the flaw seriously. Several things can be understood from this:

  1. The flaw wasn’t that hard to fix.
  2. Facebook do actually take security seriously (if not privacy).
  3. There are probably other flaws which Facebook’s internal audits find and are fixed quietly without any notifications.
  4. Facebook doesn’t issue security advisories.

Does Facebook Have a .EXE Upload Vulnerability?

(LiveHacking.Com) – Nathan Power, a security penetration tester from Ohio, has posted details of a flaw in Facebook which allows an attacker to upload and send a executable file to another Facebook user via the Facebook ‘Messages’ tab.

Normally Facebook doesn’t allow users to upload and send executables in an attempt to limit the spread of malware via its service.

Nathan analysed the way the messaging service works and discovered that Facebook rely on a parameter (called filename) included in the POST message to detect executable files. To subvert the security mechanisms to allow an .exe file type, Nathan modified the POST request by appending a space to the filename variable like so: filename=”cmd.exe ”

The result was that the file was uploaded and sent to the other Facebook user. Of course further work is needed by the attacker to convince the user to run the executable. If the user is unaware that running unknown executables on their computer is dangerous then there are other simpler methods (like plain old simple email) which could be used rather than tweaking Facebook.

ZDNET have a response from Facebook’s Security Manager Ryan McGeehan:

This finding will only allow one user to send an obfuscated renamed file to another Facebook user. The proof of concept, as is, would not execute on a recipients machine without an additional layer of social engineering.Beyond that, we are not going to rely solely on string matching as a protective measure, since zip files and other things could also have unpredictable behaviors when sent as an attachment.

We are AV scanning everything that comes through as a secondary measure, so we have defense in depth for this sort of vector. This puts us at a similar level of protection as most webmail providers who deal with the similar risk, and this finding is a very small part of how we protect against this threat overall.At the end of the day, it is more practical for a bad guy to hide an .exe on a convincing landing page behind a URL shortener, which is something we’ve been dealing with for a while.