Summary:
When using the Facebook ‘Messages’ tab, there is a feature to attach a file. Using this feature normally, the site won’t allow a user to attach an executable file. A bug was discovered to subvert this security mechanisms. Note, you do NOT have to be friends with the user to send them a message with an attachment.

Description:
When attaching an executable file, Facebook will return an error message stating:
“Error Uploading: You cannot attach files of that type.”

When uploading a file attachment to Facebook we captured the web browsers POST request being sent to the web server. Inside this POST request reads the line:

Content-Disposition: form-data; name=”attachment”; filename=”cmd.exe”

It was discovered the variable ‘filename’ was being parsed to determine if the file type is allowed or not.

To subvert the security mechanisms to allow an .exe file type, we modified the POST request by appending a space to our filename variable like so:

filename=”cmd.exe ”

This was enough to trick the parser and allow our executable file to be attached and sent in a message.

Impact:
Potentially allow an attacker to compromise a victim’s computer system.

Affected Products:
www.facebook.com

Time Table:
09/30/2011 Reported Vulnerability to the Vendor
10/26/2011 Vendor Acknowledged Vulnerability
10/27/2011 Publicly Disclosed

Credits:
Discovered by Nathan Power
www.securitypentest.com

Execution POC:

Facebook is the most recent company to come to the bug-bounty party, officially announcing recently that-

“To show our appreciation for our security researchers, we offer a monetary bounty for certain qualifying security bugs.”

Here’s how it works:

Eligibility:
To qualify for a bounty, you must:

• Adhere to our Responsible Disclosure Policy
• Be the first person to responsibly disclose the bug
• Report a bug that could compromise the integrity or privacy of Facebook user data, such as: Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF/XSRF), Remote Code Injection.
• Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)

Facebook security team will assess each bug to determine if qualifies.

Rewards:

• A typical bounty is $500 USD
• We may increase the reward for specific bugs
• Only 1 bounty per security bug will be awarded

Exclusions:
The following bugs aren’t eligible for a bounty:

• Security bugs in third-party applications (e.g., http://apps.facebook.com/[app_name])
• Security bugs in third-party websites that integrate with Facebook
• Security bugs in Facebook’s corporate infrastructure
• Denial of Service Vulnerabilities
• Spam or Social Engineering techniques

Sign Up: Facebook Official Bug Bounty Page