Command Injection Through BLH

Hi I am Shankar R ( @trapp3r_hat) from Tirunelveli (India). I hope you all doing good. I am a security researcher from the last few years. Yes absolutely am doing bug bounty in the part-time because I am working as a Security Consultant at Penetolabs Pvt Ltd(Chennai).

Thank you guys to appreciating my previous blog posts

In this blog I am going to explain about nice bug which is leads to command injection on the victim without aware of installing malicious file.

Bug Type: Broken Link Hijacking(BLH)

Concept:

Almost everyone has heard of subdomain hijacking but what about broken link hijacking. These two vulnerabilities are very similar the major difference is that one involves a subdomain while the other involves an expired link on a page.

Here I have found the BLH in official Facebook github repository which is leads to command injection on the victim without any user awareness. Because the user trusts the malicious file which is delivered from the broken link which is takeover by the attacker using Broken Link Hijacking attack

Thanks to Sreeram KL who guided me to learn about this bug.

Enumeration:

I have found a broken link using simple github dork

DORK: org:facebook “s3.amazonaws.com”

Note: You can replace the other services which are also vulnerable to sub-domain takeover vulnerability. Because we can takeover the services which is pointed to the broken link can be used by the attacker against the target.

While analyzing the dork results, I came across some Shell files that
contained reference to an s3 bucket which doesn’t exist anymore:

Image for post
Image for post

An attacker can simply takeover that bucket and place a malicious ZIP file in the same path as shown in the above image “/memnn/kvmemnn/data.tar.gz”

Steps To Reproduce:
1,Create an Amazon s3 bucket named “fair-data
2,Create a folder called “memnn
3,Create another folder called “kvmemnn
4,Place your malicious ZIP file named “data.tar.gz

Image for post
Image for post

Impact:

Here the attacker can able to make command injection attack in the victim machines. Because the official facebook github repository has broken link been placed inside the bash file which is controlled by the attacker. The victim trusts the shell file which is mentioned in the facebook repository

Status: Fixed

Reward: 500$ on 16 Jan 2020

The facebook team has simply removed the file “Setup_Processed_Data.sh” from the repository

Response from the Facebook:

Due to some limitations to make the command injection vulnerability needs some user interaction to run the file once it is downloaded i.e “Setup_Processed_data.sh” . So the FB team has marked my report as “Informative”. This is my 4th Informative bug from FB this year😜😜😜

Image for post
Image for post
Picture: Facebook Response

After some analysis Facebook team has rewarded bounty on 17 Jan 2020.

Image for post
Image for post

References:

Written by

Security Researcher | IBM Certified Associate Administrator Security QRadar SIEM V7.2.8 | Penetration Tester

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store