lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 2 Nov 2011 09:25:18 +1100
From: xD 0x41 <secn3t@...il.com>
To: mutiny <mutiny@...inbeardsucks.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Facebook Attach EXE Vulnerability

Hey great read,
    very true, there is way too little money in this area, but thats
what i am hoping to change, albeit pinch per punch and company by
company, slowly if more people turn to some ideals that you must
atleast know how to make the exploit and then how to debug it enough,
then to present it appropriately, full-disclosure or no disclosure, it
would work for me on how that first email breaks, if the company sees
me as someone who can offer them help, before i sell the poc and
instead, let blackhats chew away.... or,. they can start to learn that
security investment, is important, with some luck this wont take
20yrs.
I only think, seriously, if the item is NOT open source, and is a
multi million ENT erprise, yes that means you to RedHat RHEL, then the
item is up for scrutiny, since especially with FB it affects us all in
sme way, try to tell me that one of your family doesnt use the crap...
even if youdont... so, security would affect me/you/whoever, so why
not scrutinise what we are then left to use, and then, bugs come about
like this and others, and worse if you were to really worm it up then
you could on FB, and probably make tonnes of 'bots' from it, and
believe me thats where there is no shortage of spammers and such who
will use tis to make money.... Unfortunately many security
independants as theyre called, have yes indeed taken the one exploit.c
to another level and have now called themselfs specialists etc, HDM is
a prime example but, if you look at what he does, he is fuzzzing the
shit out of chrome, he is fuzzing the shit out of eveything we use, so
i have to applaud him, he does it silently though, wich is abit
annoying, he could have a better voice than i or you or probably
anyone on the list... i guess slide presentations do take theyre
toll...
i recall HDM as once active here... is a pity to see these people now
turn away from it, they are probably sick of trying to do what i am,
wich is not going to be easy but, im a boxer and i can handle punch
per punch basis.
Your writeup was good, alot of thinking has gone into it, and you are
right on all too many levels.
Cheers.
xd



On 1 November 2011 11:54, mutiny <mutiny@...inbeardsucks.com> wrote:
> The main thing is that the security division at facebook probably runs the
> bug hunting page (as with everywhere else, which does make a decent bit of
> sense).  And, if you spot bugs before they do, then that looks bad on them
> (internally at the company and externally to the world).  So, it is not in
> their interest to openly acknowledge your bugs, especially by paying you
> cash money (not to mention, accounting is going to hate them if they see
> bucks leaving the company for any reason, instead of coming in).  Not to
> forget, it is in their interest to downplay your bug to the rest of the
> company and the world (for those same reasons).
>
> If you're doing research /for your own interest/, I recommend maintaining
> full-disclosure.  Embrace the bazaar and burn down the cathedral.
>
> If you're interested in making money, the smart route is through script
> kiddies or whoever (but realize, you'll probably need to go ahead and write
> a reliable exploit, to see any real cash).  Script kiddies (and agents of
> various governments) often have tons of money to throw around to either
> bolster their own image (and eventually get arrested) or make money from
> your bug (especially if you're providing a reliable exploit).  Not to
> mention, the actual damage that will be caused by the majority of these
> "black hats" is nothing compared to what those companies are going to have
> done, before they eventually crash.
>
> You could also monetize your security research by taking an administration,
> research or QA position.  But, too often, you're only ensuring that you'll
> never be interested in any of the work that crosses your desk, ever again.
>
> You'll laugh, if you ever end up taking a "real job" doing security
> research, when you see heads getting butted between research teams and QA
> teams.  Most security companies, for example, do not look at their own
> products (imagine at HP, QA teams for various products would be screaming
> their heads off at Tipping Point, if they went bug hunting in HP products -
> often when it's publicly disclosed, those research teams will *still* stay
> away from it, so the QA teams can tackle it and avoid the headache).
>
> It often feels like the first person to market a firewall/IDS/IPS/etc..
> pulled off the greatest exploitation, of a security vulnerability (and the
> most common/reliable vulnerability, social engineering), of all time.
>
> In short, what your father didn't tell you is: If you're trying to make
> money, by doing *independent* security research, *shop around* for a buyer.
>  (Describe the impact to the buyer, to receive a bid, before releasing
> anything beyond generic details.  If they do not make a serious bid, take
> your ball and go home.  If you have the right friends, or enough spare
> money, involve a lawyer.)
>
> And, most importantly, forget what any of these cunts try to tell you about
> morals or ethics.  They're only pushing their point-of-view on you.  It's
> best to, at least, consider all of the view points and make a decision on
> what works for you/matters to you/etc...  None of these people, including
> myself, can tell you what is morally or ethically wrong.  And, don't let
> them heap shame on you, ever.
>
> Releasing a remote root/system vulnerability (even if you include a reliable
> exploit) to full-disclosure, conspiring with a company/individual to keep
> secrets for X amount of time and selling an exploit to an anonymous bidder
> should add no more weight to your shoulders than you already carry.  Just be
> sure that *you* are happy with your decision.
>
>  - sedition
>
> On 10/31/2011 6:11 PM, xD 0x41 wrote:
>>
>> Oh hey, 3k is great!
>> I saw that they just made it look abit cheap... no wrath but, it is
>> still a MULTI billion now, dollar company, so they shoukld be trying
>> to make SURE they can out bi ANY underground payers.. thats all i had
>> to question.
>> thanks for clearing it up, but sure, if theyre paying better now thats
>> cool, i should have said to, it is atleast a step in the right
>> direction :s  Still, they ARE*** a mutil frigging million dollar
>> company lol, so why wouldnt they give say, 1k minimum and make sure
>> they get people more than interested but even fuzzing for bugs wich
>> could potentially be in use already... this is something theyre not
>> covering atall really with 500bux.
>> It is tho, a start...
>> cheers for clearing up theyre rce payout, wow, so they maybe read
>> googles hall of fame and did it in accordance ? Maybe im wrong but....
>> this company, is not really the same thing as a google, and i guess a
>> bug on this site, would be actually worth 5million pcs to anyone
>> buying it... im just saying for them being so rish, they could do
>> better, and definately, the comapnies who offer nothing, should get
>> nothing back, simple, thats why blackhats sometimes are blackhats,
>> they got rooted around tryin to help some pig headed company who makes
>> millions yet will screw you around so badly, you do realise they tried
>> to reproduce the bug YOU made even, in order to _NOT_ pay you shit.
>> remeber that.
>> But then again, your in theyre pocket now, and really CANT do shit now
>> but say yes sir no sir two bags half fkn full sir.
>> am i rite.
>> cheers tho.
>> FB still sux hairy ones.
>>
>>
>>
>> On 31 October 2011 16:44, Chris Evans<scarybeasts@...il.com>  wrote:
>>>
>>> On Sat, Oct 29, 2011 at 2:33 PM, xD 0x41<secn3t@...il.com>  wrote:
>>>>
>>>> Bounty, another nice way to say *screw you but here anyhow...*
>>>> I am shocked they offer so little ($500 usd for remote-code injection) ,
>>>
>>> Actually, it's $500 _or more_. I've lost the reference, but I think
>>> they paid about $3000 for one case. Perhaps an RCE? Anyway, your
>>> assumption is off.
>>>
>>>> one remote code injection bug for FB in a security environment wich is
>>>> not white, and may sell the bug for upto more than 5000,
>>>
>>> You can't compare whitehat vs. blackhat programs. In the latter, you
>>> cross moral and legal lines. Most people aren't willing to be such a
>>> dick.
>>>
>>> Perhaps you should reserve your wrath for companies that offer
>>> $fuckall for good bugs? :)
>>>
>>>
>>> Cheers
>>> Chris
>>>
>>>> because if a
>>>> RCE or other was there, something wich was 'seadable' or wormable,
>>>> then theyre bounty should be far higher, because that doesnt even
>>>> match up to what many 0days would sell for.
>>>> If someone had a rce for this and were to worm it, now thats a million
>>>> dollar botnet... that would be for those who could make from it
>>>> something and there is no shortage of spammers all to happy to take
>>>> control of 2million or more pcs...
>>>> Thats just one scenarion, in wich they could loose somuch data and
>>>> info, and in exchange offer 500bux.
>>>> What a slap in the face, FB should be ashamed of that price and bump
>>>> it up atleast for more serious stuff.
>>>> EXE attachment would be medium to high risk, they would be able to now
>>>> patch it, after first they did not acknowledge, but also did not have
>>>> the bounty also... only recently they have added this, with what, a
>>>> crappy 500 bux, multi million dollar enterprises, wich are saved by
>>>> these disclosures, and they are paying pittance.
>>>> SHAME ON YOU FACEBOOK.COM , Shame...
>>>>
>>>> Welcome to the Shame-Files FB, your a disgrace to the good people who
>>>> are helping you.
>>>> Nice bug, and, atleast you worked with them to reproduce, you realise
>>>> they would have gave you 0 $ if they had repoduced this, so again,
>>>> shame on them for only acknowledging this when they failed at
>>>> repruction.
>>>> Theat 'bounty' page screams to me of the actual owners writing, and, I
>>>> bet he even probably hand wrote that, because he is a TIGHT FTSTED
>>>> pr**k , someone should put a /blackhat/ folder there, but then, its
>>>> not worth the time :) (no bug payout rofl...)
>>>> Notice also, D0S is not part of this, well then this would be funny if
>>>> one were to find a 0dayer in FB (ala apache d0s byterange style) ,
>>>> well dont bother disclosing it , just run it on a loop from theyre own
>>>> pages, afterall, whats the use to disclose such a shitty thing (yes
>>>> this is true it is shitty but, is all cases same...)
>>>> So summary is, Remote code injection or other, will get ya 500$ ,but,
>>>> if you goto an UG blackhat site, you might get 5k and up :P
>>>> xheers and again, thanks for being a good person and helping the
>>>> citizens of FB, really tho, you have, probably saved me even, 20
>>>> removals from my sisters PC :P
>>>> So, yes, I thank you and FD surely would thank you but, FB dont give a
>>>> damn :P
>>>> If they have anyone on this list who is also in theyre secteam well,
>>>> you really have a 'suck-ass' bounty, wich should be looked over,
>>>> because seriously, what worth would be it to give you anything, when
>>>> it is directly cheaper from wqebsites to buy it, and not have any
>>>> disclosure atall.
>>>> I guess this is something YOU need to ponder, not me, and im glad for
>>>> that, and Im glad again, i dont use the shitty service, and never
>>>> will.
>>>> Enjoy, have a great day!
>>>>
>>>>
>>>>
>>>> On 30 October 2011 05:12, Nathan Power<np@...uritypentest.com>  wrote:
>>>>>
>>>>> That was the original program I was participating in.  Facebook has
>>>>> agreed
>>>>> to pay me a bounty for this bug.
>>>>>
>>>>> Nathan Power
>>>>> www.securitypentest.com
>>>>>
>>>>> On Fri, Oct 28, 2011 at 7:17 PM, Ulises2k<ulises2k@...il.com>  wrote:
>>>>>>
>>>>>> You know this?  ;)
>>>>>> https://www.facebook.com/whitehat/bounty/
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Fri, Oct 28, 2011 at 17:49, Nathan Power<np@...uritypentest.com>
>>>>>> wrote:
>>>>>>>
>>>>>>> I would also like to note this vulnerability was reported responsibly
>>>>>>> in
>>>>>>> regards to full disclosure.
>>>>>>> http://en.wikipedia.org/wiki/Full_disclosure
>>>>>>>
>>>>>>> Nathan Power
>>>>>>> www.securitypentest.com
>>>>>>> On Fri, Oct 28, 2011 at 1:38 PM, Nathan Power<np@...uritypentest.com>
>>>>>>> wrote:
>>>>>>>>
>>>>>>>> I was basically told that Facebook didn't see it as an issue and I
>>>>>>>> was
>>>>>>>> puzzled by that. Ends up the Facebook security team had issues
>>>>>>>> reproducing
>>>>>>>> my work and that's why they initially disgarded it. After
>>>>>>>> publishing, the
>>>>>>>> Facebook security team re-examined the issue and by working with me
>>>>>>>> they
>>>>>>>> seem to have been able to reproduce the bug.
>>>>>>>>
>>>>>>>> Nathan Power
>>>>>>>> www.securitypentest.com
>>>>>>>>
>>>>>>>>
>>>>>>>> On Fri, Oct 28, 2011 at 11:18 AM, Pablo Ximenes<pablo@...en.es>
>>>>>>>>  wrote:
>>>>>>>>>
>>>>>>>>> Not fixed yet. At least not yesterday when I checked.
>>>>>>>>> Nathan, didn't Facebook ask for some time to fix this bug after
>>>>>>>>> they
>>>>>>>>> have acknowledged it?
>>>>>>>>>
>>>>>>>>> Pablo Ximenes
>>>>>>>>> http://ximen.es/
>>>>>>>>> http://twitter.com/pabloximenes
>>>>>>>>> Em 27/10/2011, às 19:29, Joshua Thomas<rappercrazzy@...il.com>
>>>>>>>>> escreveu:
>>>>>>>>>
>>>>>>>>> can't believe such was on FB  .... wahahaha !!! lol ....rofl ...
>>>>>>>>>
>>>>>>>>> When was this discovered and fixed ?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Thu, Oct 27, 2011 at 1:02 AM, Nathan
>>>>>>>>> Power<np@...uritypentest.com>
>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ---------------------------------------------------------------------------------
>>>>>>>>>> 1. Summary:
>>>>>>>>>> When using the Facebook 'Messages' tab, there is a feature to
>>>>>>>>>> attach
>>>>>>>>>> a file.
>>>>>>>>>> Using this feature normally, the site won't allow a user to attach
>>>>>>>>>> an
>>>>>>>>>> executable file.
>>>>>>>>>> A bug was discovered to subvert this security mechanisms. Note,
>>>>>>>>>> you
>>>>>>>>>> do NOT have
>>>>>>>>>> to be friends with the user to send them a message with an
>>>>>>>>>> attachment.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ---------------------------------------------------------------------------------
>>>>>>>>>> Read the rest of this advisory here:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> http://www.securitypentest.com/2011/10/facebook-attach-exe-vulnerability.html
>>>>>>>>>>
>>>>>>>>>> Enjoy :)
>>>>>>>>>>
>>>>>>>>>> Nathan Power
>>>>>>>>>> www.securitypentest.com
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Full-Disclosure - We believe in it.
>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ