U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Hacker found a way to hack Facebook by exploiting the ImageMagick flaw

The bug hunter Andrew Leonov has described how to exploit an ImageMagick flaw to remotely execute code on a Facebook server. The hacker Andrew Leonov (@4lemon) has described how to exploit the so-called ImageMagick vulnerability to remotely execute code on a Facebook server. The ImageMagick flaw, tracked as CVE-2016-3714, affects the popular image manipulation software, ImageMagick. The flaw could […]

Hacker found a way to hack Facebook by exploiting the ImageMagick flaw

The bug hunter Andrew Leonov has described how to exploit an ImageMagick flaw to remotely execute code on a Facebook server.

The hacker Andrew Leonov (@4lemon) has described how to exploit the so-called ImageMagick vulnerability to remotely execute code on a Facebook server.

The ImageMagick flaw, tracked as CVE-2016-3714, affects the popular image manipulation software, ImageMagick. The flaw could be exploited by hackers to take over websites running the widely used image-enhancing app. The vulnerability in ImageMagick App allows attackers to run arbitrary code on the targeted web servers that rely on the app for resizing or cropping user-uploaded images.

The researcher has detailed in a post the attack and also provided a proof-of-concept exploit for the hack, Facebook has awarded him with the highest payoff since now, US$40,000.

“Once upon a time on Saturday in October i was testing some big service (not Facebook) when some redirect followed me on Facebook. It was a «Share on Facebook» dialog:” wrote Leonov.

Facebook ImageMagick

https://www.facebook.com/dialog/feed?app_id=APP_ID&link=link.example.tld&picture=http%3A%2F%2Fattacker.tld%2Fexploit.png&name=news_name&caption=news_caption&description=news_descriotion&redirect_uri=http%3A%2F%2Fwww.facebook.com&ext=1476569763&hash=Aebid3vZFdh4UF1H

“Which many of you could see. If we look closer we can see that a `picture` parameter is a url. But there isn’t image url on page content like mentioned above.” added Leonov. 

The expert has discovered the vulnerability after a service redirected him to the Facebook platform, initially he was he was convinced he had discovered a server-side request forgery vulnerability.

“First of all I thought about some kind of SSRF issue. But tests showed that url from this parameter requested from 31.13.97.* network by facebookexternalhit/1.1.”

After testing the application, the expert devised the following workflow:

  • Gets `picture` parameter and requests it – this request is correct and not vulnerable
  • Received picture passes on converter’s instance which used vulnerable ImageMagick library

The management of the flaw was perfect, the expert reported the issue to Facebook through the bug bounty program in October and the IT giant fixed it in less than three days.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – ImageMagick, Facebook)