Shulou(Shulou.com)06/01 Report--

This article introduces how to solve the RCE vulnerability that Facebook system HTML to PDF documents may cause. The content is very detailed. Interested friends can refer to it and hope to help everyone.

The vulnerability could allow an attacker to execute HTML code on Facebook's tapprd.legal.thefacebook.com server (Server-Side), thus enabling remote code execution (RCE). The reason is that the HTML tags used to fill in the input in the vulnerability page are passed directly to the HTML to PDF Converter for the next file conversion without escaping.

Vulnerability in HTML to PDF conversion

Workplace by Facebook is Facebook's office communication software, which realizes internal team communication through company or group mode. When an individual belonging to a company or group creates a Workplace by Facebook account, they receive a confirmation email from Facebook's official email address legal_noreply@fb.com, which contains an online agreement URL to be signed by the account owner, and this URL contains a special token, as follows:

https://legal.tapprd.thefacebook.com/tapprd/Portal/ShowWorkFlow/AnonymousShowStage? token=

After opening the URL page above, it includes the name, address, email, occupation and other fields to be entered by the user. If I try to inject HTML code into these areas, I find that their Web application performs HTML encoding on all text. First of all, I thought of a packet grab request, but it didn't work, it was blocked. Next, I noticed that Web apps encode HTML on text first, and then decode HTML when PDF is converted on the server-side;

2. So I thought of the possibility of further promotion. Since the Javascript script mentioned above is not within the internal parsing scope of "HTML to PDF Converter", I thought of using "file://" URL format in IFRAME to try to read local files;

Then, I scanned the IFRAME elements in the converted PDF document to see the internal network of the Web application, from which I could distinguish some existing IPs and open/closed ports. Through this, there are several ways to promote rights to RCE:

1. Because there is another vulnerability in the Web application server, I can get the internal system path of the Web application through it, and then extract the web.config file from it, and then get more sensitive configuration information about the Web application.

After scanning the internal network of Web applications, I found exploitable vulnerabilities in some of the internal-access-only WebLogic server systems.

After tinkering with different URL methods, I found that after using the "about://" format method, an IE page in the PDF file lists all the menu options and IE versions. Because I was new to ASP.NET, I wondered if the Web application opened HTML pages in IE using some Windows API. And does that HTML page include Javascript code for screenshots or document conversion, like jsPDF, an open source PDF document generator? Based on this assumption, I tried to embed some Payload attack payloads for IE (for confidentiality reasons, sorry I can't go into too much detail here).

With the above three ways to implement RCE, the last step is how to execute the attack, coincidentally, I found that there is a Facebook email forgery vulnerability in the Web application system I previously published, so the combination of the two can form the maximum degree of power.

Fake email sent to legal_noreply@fb.com vulnerability

The flaw is that Facebook's official no-reply email legal_noreply@fb.com can be used to forge email bodies and send them to arbitrary user email addresses as Facebook employees or partners. The vulnerability is due to the following link:

https://legal.tapprd.thefacebook.com/tapprd/Portal/ShowWorkFlow/AnonymousEmbed/XXXXXXXXXXXXX

The link is a mail processing template. The problem is that except for the mail generation template, which cannot be changed, the recipient email address and recipient name can be specified arbitrarily. However, since the recipient name field does not restrict HTML injection, I can edit the mail body and add text description to other parts (see writeup for details). As follows:

Bug testing stopped.

Due to Facebook's vulnerability testing policy, I received a notice from Facebook's security team to stop testing before I had fully implemented all the method steps.

Facebook replied to me that the Web app was developed by a third-party partner, and in order to avoid further testing threats, they would notify the third party to fix vulnerabilities and release patches in a timely manner. I didn't get an ideal reward for that, but anyone who knew better knew the specific business the system was responsible for and the value of finding a high-risk intrusion vulnerability.

vulnerability reporting process

2019.4.7 Initial vulnerability report

April 10, 2019 Facebook confirmed

May 1, 2019 Facebook needs more confirmatory information

2019.5.21 Facebook confirms vulnerability validity

20.19.6.18 Facebook Fix Vulnerability

2019.7.3 Facebook Gives $1000 Bounty

About how to solve the Facebook system HTML to PDF documents may cause RCE vulnerabilities to share here, I hope the above content can be of some help to everyone, you can learn more knowledge. If you think the article is good, you can share it so that more people can see it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.