CERT/CC has published an advisory detailing the vulnerabilities uncovered by a researcher in February while trying to find security holes in one of Facebook’s servers.
While hunting for flaws that he could report to Facebook’s bug bounty program, security consultant Orange Tsai came across a domain called files.fb.com. The domain hosted a login interface for an Accellion File Transfer Appliance, a device used by enterprises for secure file transfers.
An analysis revealed that the Accellion product had been plagued by 7 vulnerabilities, one of which allowed Tsai to upload a web shell to the Facebook server. Facebook said it stopped using the vulnerable software following the incident.
CERT/CC published an advisory on Friday to detail the vulnerabilities found by Tsai in the Accellion File Transfer Appliance. The flaw leveraged by the expert to upload a web shell is a SQL injection (CVE-2016-2351) caused by the improper handling of data in the “client_id” parameter in “/home/seos/courier/security_key2.api”
Another command injection flaw found by Tsai (CVE-2016-2352) is caused by unsafe handling of restricted users utilizing YUM_CLIENT. “This allows a restricted user to execute any command via root permission,” CERT said in its advisory.
The researcher also discovered three cross-site scripting (XSS) vulnerabilities (CVE-2016-2350) in the move_partition_frame.html, getimageajax.php and wmInfo.html web pages.
Finally, Tsai found a couple of local privilege escalation issues (CVE-2016-2353) related to incorrect default permissions.
“By default, the appliance allows a restricted user to add their SSH key to an alternate user group with additional permissions,” CERT said.
Accellion patched these security holes with the release of the FTA_9_12_40 update in February. The company told SecurityWeek that it proactively reached out to customers at that time via email and phone to inform them of the vulnerability and the patch.
This was not the first time researchers found vulnerabilities in Accellion’s File Transfer Appliance. Security firm Rapid7 reported in 2010 that it had found several flaws that could have led to a remote root compromise.
In 2015, Rapid7 once again reported discovering flaws in the Accellion product, including file disclosure and remote command execution issues. When he discovered the presence of the Accellion software on Facebook’s server, Tsai attempted to exploit these vulnerabilities, but he determined that they had already been patched in Facebook’s installation.
However, he discovered that the same Facebook server had previously been accessed on at least two other occasions, including once in July 2015, right before Rapid7 disclosed the existence of the bugs. Facebook said another researcher had also been analyzing the server targeted by Tsai.
*Updated with information from Accellion regarding the availability of the patch