Wednesday, January 20, 07:34
Home security Orange Tsai: How (again) I hacked Facebook!

Orange Tsai: How (again) I hacked Facebook!

The following article is about the personal experience of Orange Tsai so they are listed literally says his words about how he managed to hack Facebook once again.

Hi, a long time has passed since my last article. This new post is about my research this March on how I found vulnerabilities in a flagship Mobile Device Management product that I overcame to achieve remote code execution.

All vulnerabilities have been reported to the vendor and fixed in June. After that, we kept track of big companies to track the overall progress of the correction and then we found that Facebook did not keep up with the patch for more than 2 weeks, so we tried to seize the opportunity!

As a Red Team, we are always looking for new ways to penetrate corporate networks. This time we are investigating the attacks that concern their security operational and we are interested in MDM, so the following article is about it!

What is MDM?

Mobile Device Management, also known as MDM, is a data evaluation system that makes employee BYOD (Bring your own device) more manageable for businesses. MDM can guarantee that the devices operate in accordance with corporate policy and in a reliable environment.

Our goal

MDM, as the central system, can manage and control all employees' devices. It is undoubtedly an ideal target for hackers. Therefore, we have seen hackers and APT teams abusing MDM all these years!

From previous cases, we know that MDM is a constant target for hackers and we wanted to do some research. There are many MDM solutions, even from reputable companies like MicrosoftThe IBM and Apple.

We have recorded well-known MDM solutions and scanned corresponding patterns all over the internet. We found that the most common MDMs are VMware AirWatch and MobileIron!

So why did we choose MobileIron as our goal? According to their official website, more than 20.000 companies have chosen MobileIron as their MDM solution. We also know that Facebook has been exposing the MobileIron server since 2016. We also analyzed the Fortune Global 500 and found that over 15% use and expose the MobileIron server to the public! For the above reasons, it became our main goal!

The file we will research was released at the beginning of 2018. It looks a bit old but it is better than nothing!

Finding vulnerabilities

After we finally completed the test package we saw that the component is based on Java and has been exposed to three ports:

  • 443 - the user registration interface
  • 8443 - the device management interface
  • 9997 - MobileIron device synchronization protocol (MI protocol)

All open ports are encrypted with TLS. Apache is located at the front of the web section and provides all the backend connections, a Tomcat with Spring MVC.

Due to Spring MVC, it is difficult to find traditional vulnerabilities such as SQL Injection or XSS.

Speaking of vulnerability, the root cause is simple. Tomcat has introduced a Web service that deserializes user input in the Hessian format. However, this does not mean that we can do everything! The main effort of this article is to resolve this, so see exploitation below:

Although we know that the Web Service is deserializing the user input, we can not enable it. The endpoint is in both:

We can only "touch" deserialization (it is the process of converting an object to data format that can be restored later) only through the management interface, because the user interface blocks the access in the Web Service.

MobileIron relied on Apache Rewrite Rules to block access in the Web service. It is located in front of a reverse-proxy architecture and the backend is a Java-based web server.

Exploitation of vulnerabilities

Moritz Bechler has done an awesome research, which summarizes the "Hessian deserialization" vulnerability in his whitepaper called Java Unmarshaller Security. From the marshalsec source code, we learn that Hessian deserialization activates equals () and hashcode () while rebuilding a HashMap. It could also enable toString () via XString and known gadgets for exploit so far are:

  • Apache XBean
  • Resin rubber
  • Spring AOP
  • ROME EqualsBean / ToStringBean

In our environment, we could only activate the Spring AOP gadget chain and perform a JNDI Injection. Once the JNDI Injection is performed, the rest of the vulnerabilities are easy!

Attack on Facebook

We now have a perfect RCE (remote code execution) combining JNDI Injection, Tomcat BeanFactory and GroovyShell. It's time to hack Facebook!

However, we have known that Facebook has been using MobileIron since 2016. Although the server response is 403 Forbidden now, the Web Service is still accessible!

A critical vulnerability (CVE-2015-3253) in Groovy 2.4 allowed us to achieve RCE by exploiting a Java deserialization error.

MobileIron uses version 1.5.6 of Groovy, which was vulnerable to attack. Therefore, we were able to use this attack to hack Facebook.

Source: blog.orange.tw

LEAVE ANSWER

Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehchttps://www.secnews.gr
Be the limited edition.

LIVE NEWS

00:02:49

The creator of PUBG is planning an IPO worth $ 27,2 billion!

https://www.youtube.com/watch?v=ZE1qwCJCXl0 Ο δημιουργός του PUBG, Kim Chang-han, σχεδιάζει IPO (Αρχική Δημόσια Προσφορά ή εισαγωγή στο χρηματιστήριο) η...

Slack: How to turn off automatic conversion to Emoji

Emoji are everywhere now. In many applications - such as Slack - you can not type a simple emoticon based on ...

Malware FreakOut: Infects "Linux hosts" that run vulnerable software

An active malicious campaign is currently targeting critical Linux devices running software. Its purpose is to infect ...
00:02:10

Facebook Messenger vs WhatsApp: Which is worse for privacy?

In recent days, WhatsApp has been at the center of discussions, due to issues that have arisen regarding the privacy of ...

Apple sued! They want to remove Telegram from the App Store

Although Telegram has become very popular in the world in recent days, it also receives a lot of negative reviews. A former ambassador of ...

VLC for macOS has been updated with full support for M1 Macs

VLC is one of the most popular media players and the macOS version is currently receiving a major update with full ...

Google Maps adds precise details to 4 city roadmaps

The Google Maps app received an update in August last year, which added more color to the physical maps to ...

Smartwatches may detect COVID-19 symptoms

Smartwatches and fitness wearables can play a valuable role in the early detection of COVID-19, according to some recent studies. Researchers from ...

The incidence of sextortion increased significantly during the pandemic period

With the outbreak of the COVID-19 pandemic, countries around the world have entered a lockdown regime, in an effort to ...

SpaceX launches the first Starlink satellite for 1

SpaceX will launch 60 satellites from the Kennedy Space Center in Florida on Wednesday. This will be the first launch of ...