Shulou(Shulou.com)05/31 Report--

This article is about how to download the function to achieve Facebook Android application arbitrary code execution, the editor thinks it is very practical, so share with you to learn, I hope you can learn something after reading this article, say no more, follow the editor to have a look.

Loophole discovery

When testing the download function of Facebook group files, the author found that there are two file download mechanisms. If users download files directly from group posts, they will download them through a built-in Android service called DownloadManager, which, as far as I know, is a safe way to download files. If the user downloads the file from the group's file tag (Files Tab), the Facebook Android app will take the file and save it to the download directory without filtering. The following is a fixed code snippet with a vulnerability. The code before the fix does not have the following gray lines of code:

Path traversal

Of course, the second download method is flawed. Although Facebook takes a series of security measures when uploading files, it is easy to bypass. In short, files downloaded by Facebook Android users from the Facebook group file tag are stored in the directory / sdcard/Downloads/FILE_NAME on the user's phone, where a directory traversal vulnerability exists because the filename FILE_NAME is not filtered. After that, I immediately thought of whether I could overwrite the original library of the program by traversing the path to achieve code execution.

Next, I use the Burp agent to intercept the request package for file upload, then change its file name to.. / sdcard/PoC, and then upload:

Unfortunately, due to the security measures on the Facebook server, the path I constructed to traverse the Payload file was deleted, and other styles of Payload did not work, unable to achieve the purpose of writing files to the / sdcard directory.

Bypass safety measures

After many times of Payload construction, it is also difficult to bypass security filtering measures. finally, I went back to the Facebook Android app itself and found it where I added files!

From this add file feature, first of all, I found that I can upload files from the Facebook Android app. So, next, I set up a Burp proxy from my phone to intercept requests for capturing file uploads and change the file name filename to.. / sdcard/PoC. After that, the Payload file is successfully uploaded to the / sdcard directory, and the path construction of the file name is also valid.

Then I tried to download the file in a group post, but the DownloadManger service of the Facebook Android app was secure and couldn't find a flaw. Let's do the test at the file label (Files Tab). First of all, make sure I can upload the file to the / sdcard/PoC directory. As previously considered, first do a path traversal, and then try an overwrite of the original library.

Vulnerability exploitation

To do this, I created an Android native library code (Native Development Kit) to generate the native library, and I put my malicious test code in the JNI_OnLoad function so that it could be called when the library file was loaded. As follows:

# include # include # include JNIEXPORT jint JNI_OnLoad (JavaVM* vm, void* reserved) {system ("id > / data/data/com.facebook.katana/PoC"); return JNI_VERSION_1_6;}

Through the generation and construction of the above malicious native library, and then upload it to the Facebook Android application server with the aforementioned path traversal + rewrite overwrite method.

/.. / data/data/com.facebook.katana/lib-xzs/libbreakpad.so

In the end, arbitrary code execution can be successfully implemented in this way of rewriting.

The above is how to implement arbitrary code execution of Facebook Android applications through the download function. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.