I want to share my finding regarding Password Reset logic flaw in Facebook Secure Files Transfer for Employees.
Sometimes when you add a new security measure (Such as Secured File Transfer by Acellion), You may unintentionally expose your organization to these kind of risks
First of all,
If you look at https://files.fb.com, You can understand that this service belongs to Accellion (http://www.accellion.com/solutions/secure-file-transfer),
Now to test a Password Reset logic flaw, We need an account to test for Reset Password Right?,
It seems that Facebook was trying to avoid the creation of accounts in Accellion after removing the register form from the pageview,
I discovered that if you know the direct location of the form (/courier/web/1000@/wmReg.html), You can easily bypass that protection and create an account in files.fb.com,
Now this vulnerability has been fixed and you can't open a new account in files.fb.com, Fixed:
OK, So now we got a new account in files.fb.com Right?, Cool!,
The next step was to download the 45 days trial of Accellion Secure File Sharing Service (http://www.accellion.com/trial-demo),
I realized that that there is two kinds of trial versions of Accellion,
1. Free 45 Day Cloud Hosted Trial (5 users)
2. Free 45 Day Virtual Trial (5 users)
So I chose the VM(virtual) trial, Just for getting all the files and source code of this Accellion application,
The "Bad News" was that the VM trial got a protection and you can't access to the files through the VM Version,
Anyway you can bypass it by mounting the virtual drive in second linux machine ,
This solution made it possible to get all the files names and folders in Accellion Secure File Transfer,
Accellion encrypt their source files content (php) by using ionnCube PHP Encoder (http://www.ioncube.com/sa_encoder.php).
In some older versions of Ioncube you can decrypt this "encrypted" files:
Bad news again!, This Version of ionCube was not vulnerable to a possible decryption , I was disappointed because If I had the source I had the core.
This could help me to find more cool issues such as: Command Execution, Local File Inclusion, etc..,
Anyway i dropped this subject and keep my research on,
I found this interesting file called wmPassupdate.html,
This file used for a Password Recovery in Accellion Secure Files Transfer,
I realized that there is another parameter in the Cookie when you are trying to recover your password in wmPassupdate.html,
This parameter call referer, I found that the value of this parameter use Base64 encoding, Wtf?, I didn't think Base64 (for encryption) was still alive these days, Yes, It appears so :),
So i decoded the base64 value, And so that the decoded data appeared to be my email address ("dbeckyxx@gmail.com"), Cool!, I started to delete all the "junk" cookies un-uneeded parameters and kept only the referer parameter,
I encoded back to Base64 a different email of my test account in files.fb.com, And then copied it into the referer cookie parameter,
Then i started to change the email address parameter in my POST request, to the victim email account and change the pass1,pass2, to my chosen password,
And
PoC Image:
PoC Video:
Facebook, Accellion Fixed this issues, I also reported 20+ different bugs in Accellion Secure File Transfer Service, They fixed all of them :) Soon i will publish OAuth bypass in Facebook.com, Cya Next time!,
Nguồn: http://www.nirgoldshlager.com/