A critical remote code execution vulnerability in a Facebook server was recently patched after security researcher Daniel ‘Blaklis’ Le Gall reported it using a proof-of-concept.
The vulnerability was found in an unstable Sentry service – a cross-platform application capable of collecting logs and debugging Python apps – written in Python with the Django library. Occasional crashes of the application revealed that the Django debug mode was not turned off, causing the stack traces to return information about session cookie names, options, and used serializer (Pickle).
While the secret key used by Django to sign session cookies was not available in the stack trace, the security researcher was able to find an options list that revealed a key (system.secret-key) that was not snipped.
“However, the SENTRY_OPTIONS list contains a key named system.secret-key, that is not snipped,” wrote Le Gall. “Quoting the Sentry documentation, system.secret-key is “a secret key used for session signing. If this becomes compromised it’s important to regenerate it as otherwise its much easier to hijack user sessions.“; wow, it looks like it’s a sort of Django SECRET-KEY override!”
The researcher was then able to forge his own cookies and add a payload that would replace the Sentry cookie, essentially running arbitrary code on the server. The proof-of-concept involved planting a 30-second delay when loading the page.
“This code is a simple proof of concept; it takes the content of an existing sentrysid cookie, and replaces its content with an arbitrary object that will run a os.system(“sleep 30”) when unserialized,” wrote Le Gall. “When using this cookie, the page actually takes an additional 30 seconds to load, which confirms the presence of the flaw.”
While threat actors could have used the vulnerability to steal data, the researcher said no user data was on the server or exposed by the vulnerability.
The issue was reported to Facebook on July 30th, which followed with a patch on August 9th. The server was taken offline until the patch was deployed and the security researcher won a $5,000 bug bounty.