lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 10 Feb 2022 17:54:16 -0600
From: Joey Kelly <joey@...ykelly.net>
To: fulldisclosure@...lists.org
Subject: Re: [FD] Facebook DNS misconfiguration

On Wednesday, February 9, 2022 12:18:59 PM CST Carlo Di Dato via 
Fulldisclosure wrote:
> Hi everyone,
> I submittet to Facebook a DNS misconfiguration issue. Specifically, the
> following URLs will be resoved as private IP addresses.

nathan:~$ dig dev.facebook.com +short
intern-regional.vvv.facebook.com.
10.110.159.20


It's definitely a leak. They need to learn about BIND views, or the 
equivalent.

--Joey

> 
> dev.facebook.com : A [10.110.151.5]
> hr.facebook.com : A [10.110.199.9]
> prof.facebook.com : A [10.18.4.109]
> tps.facebook.com : A [10.110.159.18]
> interim.facebook.com : A [10.110.151.5]
> nexus.facebook.com : A [192.168.62.201]
> alf.facebook.com : A [192.168.16.27]
> 
> It's something similar to Same Site Scripting, except the resolved URL
> is not 127.0.0.1 but a private IP address.
> You could use them in case of red team activies, for example.
> Imagine this scenario:
> 
> #1 - there's a public, unprotected wi-fi network
> #2 - you are connected to this wi-fi network and your IP is
> 192.168.16.11
> #3 - you could change you IP from 192.168.16.11 to 192.168.16.27
> #4 - you could start a web server with a fake Facebook login page or
> with some malicious file
> #5 - you could invite someone, within the same network, to visit
> "http://alf.facebook.com" or to download an update from
> "http://alf.facebook.com/update.exe"
> 
> Of course, another scenario would be the one in which you create a
> rogue, free wi-fi access point configured to assing 192.168.16.1/24 IPs
> 
> Do you consider this a MITM attack? I'm not 100% sure but Facebook
> stated it is.
> See you!
> 
> Cheers,
> Carlo Di Dato (aka shinnai)
> 
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/


-- 
Joey Kelly
Minister of the Gospel and Linux Consultant
http://joeykelly.net
504-239-6550



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists