How an Instagram’s Story drives me to a Remote Code Execution.

DISCLAIMER

All information shared are for educational purposes only. Use these at your own discretion and remember: you are responsible for any damages caused. Actually, think about how this hack was possibile, how it could have been happened and, if you’re a dev, make sure to build more secure systems than that.
The views expressed on this article are my own and do not necessarily reflect the view of other people.

INTRODUCTION

These days are very hot in the infosec community, especially here in Italy. There are only a few days left before the next political elections and two of the biggest political parties have been hacked, at different levels and in different ways[1][2][3]. The discussion about *ethical hacking* reached its peak when a student was reported for revealing a huge vulnerability in Rousseau, a major web-platform of the “Movimento 5 Stelle”, currently the biggest italian political party.

I don’t want to bring more items to this discussion since enough things have already been said so I thought it was cool to bring my vision of *ethical hacking* with a critical vulnerability that I found by chance thanks to an interesting Instagram Story.

Instagram Stories: a brief introduction

A simple but effective way to describe the idea behind the Instagram Stories is the following statement that I found on a marketing website[4] and translated in english for the readers:

After the appropriate corrections, this statement looks perfect for the story I‘m going to share with you:


CHAPTER 1: “not interesting..” <swipe> “still not interesting..” <swipe> “again not interest…oh sh*t!”

As already said in the introduction, during a sleepless night a particular Instagram Story caught my attention:

At first glance it appears innocent: this person just posted a pic about his/her upcoming school trip. Nothing new, I guess almost everyone see those pictures on Instagram every single day.

But if you look closer it’s possibile seeing something more interesting:

Yes, that’s a password (redacted for obvious reasons) and a web-address to a login portal (also redacted for the same reasons). At that time, I don’t know if it worth or not but I tried to reach that address and the following page appears:

Login Page. (ENG: “Attention. You’re entering a restricted area)

I guessed I have all information needed, so I typed down the password found and it worked.

The following picture shows the successfully login:

Successfully login. (ENG: “Play the video” and “Enter the site”)
“Ok cool, but I don’t think there is too much I can do here. I don’t want to start poking with the web-application searching for bugs etc…”

CHAPTER 2: keep exploits attempts away

I started looking around without forcing anything but acting like a normal user. This portal offers a summary of the upcoming trip of the person who posted the photo on Instagram.

School lessons timetable.

It’s possibile to retrive useful information like lessons timetables, addresses of schools and hotels, name of involved teachers and cellphones numbers. I mean, there are some sensitive information but nothing very interesting here also because the student can only access to the information of his school trips, he can’t see information about other school trips. Well, not really.

I started looking at the URL in the browser while I was browsing in the website and I notice that all the pages I can browse are in the same sub-domain. A couple of examples (the original folder’s names have been changed):

  • subdomain.domain.it/site/21443/docs/12231/TimeTable.pdf
  • subdomain.domain.it/presentation/31223/index.html
  • etc..

So I browse to the root directory of the subdomain.domain.it and this page appeared in front of me:

Second login page found

Ok, the temptation here was very strong, but I had already decided to not try to exploit anything. Sorry, no injection attempts here.

What I did was a “manually knock-knock approach”: just a couple of common auth combinations also with the previous password found but nothing was working and it was sad. Sorry, no bruteforce here.

After a few knock-knock I decided to try to open the door without using any keys, and surprisingly it worked.

No username and no password was actually the credentials used. Welcome to 2018 guys.

CHAPTER 3: Welcome back administrator!

After succesfully login, the web-application shows the following dashboard:

Administrator dashboard found

Now I have access to all the trips scheduled (upcoming and already ended). ¯\_(ツ)_/¯

From now on, I can arbitrary modify indiscriminately every single trips information, as the following image shows:

But the best feature I found was the following one:

Yes, arbitrary file upload. This function is used for attach .pdf files with trip’s information for the students.

But, what if I try to upload a “non-pdf” file? Let’s start with a text file:

Arbitrary files upload: txt file

It worked, so it seems that there is no check on the file’s extension. Let’s try with a tiny .php file as follow:

<? php echo "test"; ?>

As a penetration tester find the ability to run arbitrary php code on a web-server is obviously considered pretty bad:

Arbitrary files upload: php file

But there you go..BINGO! The web-server interpreted successfully my tiny php file and I’d got all I needed in order to try to execute arbitrary code on this machine.

RCE dance

CHAPTER 4: RCE!

In order to demonstrate a RCE I uploaded a php agent with weevely3: the agent is small, hardly detectable by AV software, and the communication between the client and the agent is obfuscated within HTTP requests.

This is the obfuscated PHP agent uploaded:

PHP agent create with weevely3

I renamed it as “new_settings.php” and successfully uploaded it to the server:

After that I connect to the agent as follow and voilà:

Successfully connected to the weevely php agent

Remote Code Execution successfully obtained!

I guees i’m done with it, it’s time to inform the vendor about what I found. How will they react to this?


CHAPTER 5: Responsible disclosure

  • 26 February 2018: first email has been sent to the vendor. Also write on their “Support Live Chat” on the website. No immediate answer received.
  • 27 February 2018: second email has been sent to the vendor. Also a first email has been sent to the agency that have developed this website.
  • 27 February 2018: first answer from the agency: they are in contact with their client in order to solve the problem.
  • 28 February 2018: they fixed the login page. But still no answer from them.

References:

[1] https://www.agi.it/politica/hacker_movimento_5_stelle-3461812/news/2018-02-08/

[2] http://formiche.net/2018/02/hacker-rousseau-polizia-postale/

[3] https://www.ilfattoquotidiano.it/2018/02/06/hackerato-il-sito-del-pd-di-firenze-anonplus-ci-sono-dati-di-matteo-renzi-dem-roba-vecchia/4140764/

[4] http://www.ninjamarketing.it/2018/02/19/le-instagram-stories-stanno-cambiando-cosa-dovrebbe-tenere-a-mente-ogni-brand/