November 26, 2018

Facebook Source Code Disclosure in ads API

Security Research, Writeup Tags: ,

Previously, I was much familiar with the “Windows NT” model & it’s “Windows Phone”. I see that many guys are actively hunting Bugs on Facebook easily & Receiving a Bug Bounty Awards. So I thought, I would also join with them to appear my name on Facebook Whitehat Page. Two time already listed on Microsoft “Hall of fame” Page reporting, “Operating System” Issues.
It was October 2017. I just started Web Application Pentesting & was completely unknown about OWASP Top 10. Just digging around the HTTP requests, reading other writeups which helped me a lot to learn precious knowledge.

Within a month or two I discovered Vulnerability in Facebook Ads API.
There is Graph API called to upload ad images to advertising account. “/adimages” an endpoint takes a image in base64 format from parameter “bytes”. So it is possible to Inject malicious payloads in an Image, convert Image to Base64 and then upload it on the server.

Request

POST /v2.10/act_123456789/adimages HTTP/1.1
Host: graph.facebook.com

Bytes=VGhpcyBpcyBtYWxpY2lvdXMgcGF5bG9hZC4=

Therefore lacking of malicious image handling it will failed “Image Resizing Tool”. In a JSON Response it was returning a exception containing little bit of PHP core function in various PHP Facebook Library files as little bit of source code.

Response

HTTP/1.1 200 OK

{“error”:{“message”:”Invalid parameter”,”type”:”FacebookApiException”,”code”:100,”error_data”:”exception ‘Exception’ with message ‘gen_image_rescale_multi_thrift call to shrinkImageMulti failed with fbalgo exception: 43 (43: : IDAT: invalid distance too far back)’ in \/var\/www\/flib\/resource\/filesystem\/upload\/upload.php:1393\nStack trace:\n#0 \/var\/www\/flib\/resource\/filesystem\/upload\/upload.php(1662): gen_image_rescale_multi_thrift()\n#1 \/var\/www\/flib\/ads\/admanager\/adupload\/adupload.php(252): gen_image_rescale_multi()\n#2 \/var\/www\/flib\/ads\/admanager\/adupload\/AdImageUtils.php(195): _gen_adupload_image_resize()\n#3 \/var\/www\/flib\/ads\/entities\/creatives\/photos\/AdproCreativePhotoDownload.php(53): AdImageUtils::genResizeLocalFile()\n#4 \/var\/www\/flib\/platform\/graph\/resources\/adaccount\/adimages\/mutators\/GraphAdAccountAdImagesPost.php(134): AdproCreativePhotoDownload::addLocalFileToCreativeLibrary()\n#5 \/var\/www\/flib\/core\/data_structures\/utils\/Arrays.php(440): Closure$GraphAdAccountAdImagesPost::genImplementation#3()\n#6 \/var\/www\/flib\/platform\/graph\/resources\/adaccount\/adimages\/mutators\/GraphAdAccountAdImagesPost.php(136): Arrays::genMapWithKey()\n#7 \/var\/www\/flib\/ads\/api\/graph_base\/GraphAdsWriteWithRedirectBase.php(22): GraphAdAccountAdImagesPost->genImplementation()\n#8 \/var\/www\/flib\/ads\/api\/graph_base\/GraphAdsWriteWithRedirectBase.php(11): GraphAdsWriteWithRedirectBase->genDoCall()\n#9 \/var\/www\/flib\/core\/asio\/gen_utils.php(24): GraphAdsWriteWithRedirectBase->genCall()\n#10 \/var\/www\/flib\/platform\/api\/base\/ApiBaseWithTypedApiData.php(204): genw()\n#11 \/var\/www\/flib\/platform\/api\/base\/ApiBase.php(85): ApiBaseWithTypedApiData->genCallWithApiDataBase()\n#12 \/var\/www\/flib\/platform\/graph\/core\/runner\/GraphApiRunnerBase.php(373): ApiBase->genMakeCall()\n#13 \/var\/www\/flib\/platform\/graph\/core\/GraphRequestProcessorBase.php(629): GraphApiRunnerBase->genCall()\n#14 \/var\/www\/flib\/platform\/graph\/core\/GraphRequestProcessorBase.php(45): GraphRequestProcessorBase->genExecuteSingleGraphRequestCore()\n#15 \/var\/www\/api\/graph\/server.php(168): GraphRequestProcessorBase->genExecuteSingleGraphRequest()\n#16 \/var\/www\/api\/graph\/server.php(174): gen_api_graph_server()\n#17 \/var\/www\/flib\/core\/asio\/Asio.php(35): gen_api_graph_server_wrapper()\n#18 (): Closure$Asio::enterAsyncEntryPoint()\n#19 \/var\/www\/flib\/core\/asio\/Asio.php(37): HH\\Asio\\join()\n#20 \/var\/www\/api\/graph\/server.php(180): Asio::enterAsyncEntryPoint()\n#21 {main}”,”error_subcode”:1487242,”is_transient”:false,”error_user_title”:”Image Resize Failed”,”error_user_msg”:”Image Resize Failed:unknown reason”,”fbtrace_id”:”EN\/o9hmqwZz”},”__fb_trace_id__”:”EN\/o9hmqwZz”}

Before submitting report, I tried all PHP injections, such as ImageTragick. Nothing worked. It was time to report them.

Fixed: They fixed the Code Internally, as well as “Exception Handling” which will not return any data in response.

Timeline:

  • 25 Nov, 2017: Initial Report Sent.
  • 28 Nov, 2017: Asked More Details.
  • 28 Nov, 2017: More Payloads, Clarification Sent.
  • 29 Nov, 2017: Acknowledgment of Report.
  • 1 Dec, 2017: Issue Fixed.
  • 6 Dec, 2017: Bounty Awarded by Facebook.

Reference:

  • Information Leakage and Improper Error Handling.
  • Unidentified code injection.