Arbitrary code execution on Facebook for Android through download feature

Recently I discovered an ACE on Facebook for Android that can be triaged through download file from group Files Tab without open the file.

I was digging on the method that Facebook use to download files from group, I have found that Facebook use tow different mechanism to download files. If the user download the file from the post itself It will be downloaded via built-in android service called DownloadManager as far as I know It safe method to download files. If the user decide to download the file from Files Tab It will be downloaded through different method, In nutshell the application will fetch the file then will save it to Download directory without any filter.

Notice: the selected code is the fix that Facebook pushed. The vulnerable code was without this code.

The vulnerability was in the second method, security measures was implemented on the server side when uploading the files but It was easy to bypass. Simply the application fetch the download file and for example save the file to /sdcard/Downloads/FILE_NAME without filter the FILE_NAME to protect against path traversal attacks. First idea came to my mind is use path traversal to overwrite native libraries which will leads to execute arbitrary code.

I have set up my burp suite proxy then Intercepted upload file request and modify the filename to ../../../sdcard/PoC then forward the request.

Unfortunately It wasn’t enough due of the security measures on the server side, my path traversal payload was removed. I decide to play with the payload but unfortunately no payload worked.

After many payloads, I wasn’t able to bypass that filter. I came back to browse the application again may find something useful, It came!

For first time, I noticed that I can upload files via Facebook mobile application. set-up burp suite proxy on my phone, enable white-hat settings on the application to bypass SSL pinning, intercepted upload file request, modify the filename to ../../../sdcard/PoC, file uploaded successfully and my payload is in the filename now!

I tried to download the file from the post, but DownloadManger service is safe as I told so the attack didn’t work. Navigated to Files Tab, download the file. And here is our attack. My file was wrote to /sdcard/PoC!

As I was able to preform path traversal, I can now overwrite the native libraries and preform ACE attack.

To exploit that attack I start new android NDK project to create native library, put my evil code on JNI_OnLoad function to make sure that the evil code will execute when loaded the library.

I built the project to get my malicious library, then upload it by mobile upload endpoint and renamed it to /../../../../../data/data/com.facebook.katana/lib-xzs/libbreakpad.so

Our exploit now is ready!

PoC Video: https://youtu.be/j0darcE5apo

April 29, 2020 at 5:57 AM: Subbmited the report to facebook.
April 29, 2020 at 11:20 AM: Facebook were able to reproduce it.
April 29, 2020 at 12:17 PM: Traiged.
June 16, 2020 at 12:54 PM: Vulnerability has been fixed.
July 15, 2020 at 5:11 PM: Facebook rewarded me $10,000!

Bounty

I noticed people commented on the amount of bounty when I tweet about the bug, It small? I was shocked and objected to it and tried to discuss Facebook, but noway they say that amount is fair and they won’t revisiting this decision. As Neal told me: Spencer provided you with insight into how we determined the bounty for this issue. We believe the amount awarded is reasonable and will not be revisiting this decision.

It’s up to you to decide before you report your vulnerabilities! Vendor or?

Have a nice day!