Path traversal flaw leads to RCE

Facebook has awarded $10,000 for a RCE bug in its mobile app

A security vulnerability in the download feature of Facebook’s Android application could be exploited to launch remote code execution (RCE) attacks.

Facebook’s app uses two different methods of downloading files from a group: a built-in Android service called DownloadManager and a second method, Files Tab.

Security researcher Sayed Abdelhafiz discovered a path traversal flaw in the second method. This was achieved by intercepting an upload file request using Burp Suite.

In a blog post published last week, Abdelhafiz explained how the Files Tab flaw enabled the researcher to launch RCE attacks against a target device.

Read more of the latest bug bounty news

Abdelhafiz wrote: “I noticed that I can upload files via Facebook mobile application. I set up Burp Suite proxy on my phone, enable white-hat settings on the application to bypass SSL pinning, intercepted upload file request, modify the filename to ../../../sdcard/PoC, file uploaded successfully and my payload is in the filename now!

“I tried to download the file from the post, but DownloadManager service is safe… so the attack didn’t work. Navigated to Files Tab, download the file. And here is our attack. My file was [written] to /sdcard/PoC!”

Abdelhafiz explained how he was then able to overwrite the native libraries to perform an arbitrary code execution attack, he said.

“To exploit that attack I start new android NDK [Native Development Kit] project to create native library, put my evil code on JNI_OnLoad function to make sure that the evil code will execute when loaded the library.

“I built the project to get my malicious library, then upload it by mobile upload endpoint and renamed it to /../../../../../data/data/com.facebook.katana/lib-xzs/”

The vulnerability can enable an attacker to access to all of the privileges a user has allowed Facebook to have, including access to the camera and microphone, Abdelhafiz told The Daily Swig

If chained with a privilege escalation bug, it could give an attacker control over the whole device.

Reasonable reward?

Facebook awarded $10,000 for the discovery, which Abdelhafiz said he contested when some of his Twitter followers criticized what they deemed to be a relatively low payout, given the severity of the flaw.

Indeed, Facebook has handed out much larger rewards for code execution bugs in the past – it’s highest ever bug bounty payout was $34,000 for an exploit that opened the door to RCE.

Abdelhafiz told The Daily Swig: “After I found the RCE in Facebook, I expected that my bug will be rewarded like the average RCE which is usually rewarded at around $30k.

“When I got the bounty email, I was really shocked. The amount of the reward was far below any RCE that I know of.

“I tried to discuss the amount with them but they insisted that the amount was fair. They reasoned this saying that the bug required user interaction which in their opinion lowers the risk bar.

“Normally, I would not mention the bounty section in my write up but since this one raised conflict, I wanted to know the opinion of the community. I don't think I will discuss this further.

“The policies are clear and Facebook reserves the right to have the final say regarding the bounty. I just hope in the future they will make more fair decisions regarding the bounty amounts.”

YOU MAY ALSO LIKE Researcher scoops $31k Facebook bug bounty for flagging SSRF vulnerabilities 

He added: “As for the triage process, it was one of the fastest triaging processes I ever went through.

“The team triaged my bug within a few hours of my initial report. This is well known fact about Facebook, they are one of the fastest teams to triage and fix critical bugs.

“The PoC I submitted was so simple yet they were able to use it to verify the bug without any problems.”

The Daily Swig has reached out to Facebook for comment on this and will update this article accordingly.

RELATED Internal Facebook systems exposed via unpatched Apache library