Hi I am Shankar R ( @trapp3r_hat) from Tirunelveli (India). I hope you all doing good. I am a security researcher from the last few years. Yes absolutely am doing bug bounty in the part-time because I am working as a Security Consultant at Penetolabs Pvt Ltd(Chennai).
Thank you guys to appreciating my previous blog posts
In this blog I am going to explain about nice bug which is leads to command injection on the victim without aware of installing malicious file.
Bug Type: Broken Link Hijacking(BLH)
Almost everyone has heard of subdomain hijacking but what about broken link hijacking. These two vulnerabilities are very similar the major difference is that one involves a subdomain while the other involves an expired link on a page.
Here I have found the BLH in official Facebook github repository which is leads to command injection on the victim without any user awareness. Because the user trusts the malicious file which is delivered from the broken link which is takeover by the attacker using Broken Link Hijacking attack
Thanks to Sreeram KL who guided me to learn about this bug.
I have found a broken link using simple github dork
DORK: org:facebook “s3.amazonaws.com”
Note: You can replace the other services which are also vulnerable to sub-domain takeover vulnerability. Because we can takeover the services which is pointed to the broken link can be used by the attacker against the target.
While analyzing the dork results, I came across some Shell files that
contained reference to an s3 bucket which doesn’t exist anymore:
An attacker can simply takeover that bucket and place a malicious ZIP file in the same path as shown in the above image “/memnn/kvmemnn/data.tar.gz”
Steps To Reproduce:
1,Create an Amazon s3 bucket named “fair-data”
2,Create a folder called “memnn”
3,Create another folder called “kvmemnn”
4,Place your malicious ZIP file named “data.tar.gz”
Here the attacker can able to make command injection attack in the victim machines. Because the official facebook github repository has broken link been placed inside the bash file which is controlled by the attacker. The victim trusts the shell file which is mentioned in the facebook repository
Reward: 500$ on 16 Jan 2020
The facebook team has simply removed the file “Setup_Processed_Data.sh” from the repository
Response from the Facebook:
Due to some limitations to make the command injection vulnerability needs some user interaction to run the file once it is downloaded i.e “Setup_Processed_data.sh” . So the FB team has marked my report as “Informative”. This is my 4th Informative bug from FB this year😜😜😜
After some analysis Facebook team has rewarded bounty on 17 Jan 2020.