Orange Tsai hacks the social media giant – again
A security researcher gained access to internal Facebook systems by exploiting a vulnerability in a popular Mobile Device Management (MDM) product.
Taiwanese researcher Orange Tsai detailed how he was able to achieve unauthenticated remote code execution (RCE) on a popular MDM due to a previous security flaw that he found in 2018.
Tsai explained that he made his latest discovery while hunting for vulnerabilities in MobileIron, which is used by enterprises to manage devices used by employees.
MDM products are used to securely manage personal devices when they are connected to corporate networks.
The researcher chose MobileIron as his intended target due to its sizeable customer base, which exceeds 15,000 worldwide and includes social media site Facebook.
While hunting for vulnerabilities, Tsai concluded that MobileIron was vulnerable to the Breaking Parser Logic attack he revealed in 2018.
The attack leverages inconsistent parsing between system components to bypass authentication.
“This technique leverage[s] the inconsistency between the Apache and Tomcat to bypass the ACL control and reaccess the Web Service,” wrote the researcher in a blog post documenting his latest findings.
The exploit allowed the researcher to gain access to the deserialization of the enrolment and management interface.
After a few failed attempts to gain RCE – including achieving a JNDI injection which can then be exploited, leading to RCE – Tsai discovered that MobileIron was using an outdated version of the Apache Groovy library.
A critical vulnerability (CVE-2015-3253) in Groovy 2.4 and below can allow an attacker to achieve RCE by exploiting a Java deserialization bug.
“When an application has Groovy on the classpath and uses standard Java serialization mechanisms to communicate between servers, or to store local data, it is possible for an attacker to bake a special serialized object that will execute code directly when deserialized,” a security advisory from Apache Groovy reads.
All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability, it added.
MobileIron was using Groovy version 1.5.6, which was vulnerable to the attack. Therefore Tsai was able to use this attack to hack Facebook.
Zest for success
Tsai reported his findings to MobileIron and three CVEs were issued. The company has since patched the issue.
He also reported it to Facebook’s bug bounty program. The report on HackerOne's platform has not been published.
One takeaway from this latest hack is that developers should keep an eye on outdated dependencies that could leave an application open to exploit, a view echoed by Tsai.
“Since Groovy is an internally used library, developers won’t update it if there is no emergency,” he wrote.
“The outdated Groovy could also be a good case study to demonstrated how a harmless component can leave you compromised!”