Command Injection Through BLH

Shankar R
Shankar R
Nov 14 · 3 min read

Hi I am Shankar R ( @trapp3r_hat) from Tirunelveli (India). I hope you all doing good. I am a security researcher from the last few years. Yes absolutely am doing bug bounty in the part-time because I am working as a Security Consultant at Penetolabs Pvt Ltd(Chennai).

Thank you guys to appreciating my previous blog posts

In this blog I am going to explain about nice bug which is leads to command injection on the victim without aware of installing malicious file.

Bug Type: Broken Link Hijacking(BLH)

Concept:

Almost everyone has heard of subdomain hijacking but what about broken link hijacking. These two vulnerabilities are very similar the major difference is that one involves a subdomain while the other involves an expired link on a page.

Here I have found the BLH in official Facebook github repository which is leads to command injection on the victim without any user awareness. Because the user trusts the malicious file which is delivered from the broken link which is takeover by the attacker using Broken Link Hijacking attack

Thanks to Sreeram KL who guided me to learn about this bug.

Enumeration:

I have found a broken link using simple github dork

DORK: org:facebook “s3.amazonaws.com”

Note: You can replace the other services which are also vulnerable to sub-domain takeover vulnerability. Because we can takeover the services which is pointed to the broken link can be used by the attacker against the target.

While analyzing the dork results, I came across some Shell files that
contained reference to an s3 bucket which doesn’t exist anymore:

An attacker can simply takeover that bucket and place a malicious ZIP file in the same path as shown in the above image “/memnn/kvmemnn/data.tar.gz”

Steps To Reproduce:
1,Create an Amazon s3 bucket named “fair-data
2,Create a folder called “memnn
3,Create another folder called “kvmemnn
4,Place your malicious ZIP file named “data.tar.gz

Impact:

Here the attacker can able to make command injection attack in the victim machines. Because the official facebook github repository has broken link been placed inside the bash file which is controlled by the attacker. The victim trusts the shell file which is mentioned in the facebook repository

Status: Fixed

The facebook team has simply removed the file “Setup_Processed_Data.sh” from the repository

Response from the Facebook:

Due to some limitations to make the command injection vulnerability needs some user interaction to run the file once it is downloaded i.e “Setup_Processed_data.sh” . So the FB team has marked my report as “Informative”. This is my 4th Informative bug from FB this year😜😜😜

Picture: Facebook Response

References:

    Shankar R

    Written by

    Shankar R

    Security Researcher | IBM Certified Associate Administrator Security QRadar SIEM V7.2.8 | Penetration Tester

    Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
    Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
    Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade