Facebook vulnerability allowed remote code execution

Apparently user’s information has not been compromised

A vulnerability has been patched in a Facebook server that could have enabled information disclosure and command execution. The compromised service was Sentry, an open-source error tracking application that helps developers control and correct flaws in real time. It’s written in Python with the Django framework.

Cyber security organization researchers were examining the application and saw that the stack traces (lists of the stack of functions at the time of an error) appeared regularly on the page. Thus, the researchers concluded that the application seemed unstable respect to the user’s password-reset function, which was occasionally blocked.

More important, these stack traces were triggering full printouts of the entire application, albeit with some critically information.

According to cyber security organization experts, Django’s debugging mode was not disabled, which consequently prints the whole environment when a stack trace occurs. However, Django cuts critical information (passwords, secrets, keys) on those pile traces, thus avoiding a massive leak of information.

Still, the stack traces revealed enough pieces of information to build an exploit to execute commands on the system. For example, the name of the session cookie, the session serializer that uses the Pickle binary protocol to deserialize the structure of Python objects, the session engine, and a list of Sentry configuration information that contains a secret key used for the session.

The SENTRY_OPTIONS list contains a key called system.secret-key, which is not cut and is used for session logging. If this is compromised, it is important to regenerate it because otherwise it is much easier to hijack user sessions.

Knowing this, the investigators discovered that they could create their own session containing arbitrary code to execute commands on the system. To test the mechanism, they wrote a simple script with an arbitrary load on a specially designed SENTRYSID cookie. The payload was a “sleep 30” command, when using this cookie, the page actually takes an additional 30 seconds to load, confirming the flaw’s presence.

“It seems that Facebook could not completely eradicate the data returned by a public web application vulnerability”, the experts mentioned. “This is a common problem in the cyber security organization world”.

Facebook recognized the vulnerability and disabled the system on the same day as it prepared an update patch. The problem was solved about a week later.

Cyber security organization specialists from the International Institute of Cyber Security commented that although the vulnerability did not directly affect Facebook users, as it was a disclosure of information in a third-party application that Facebook was running on some of their servers that seemed to be disconnected from user information, is an important reminder of the challenge of applying security patches on a business scale.