0
indiansword's Avatar, Join Date: Oct 2008
Security Expert
i've haerd some XSS bug which was fixed real quick by facebook guyz, it was the same bug found in orkut it was something as follows:

inserting malicious javascript into the "captions" of your pitcure
0
fourthdimension's Avatar, Join Date: Jan 2009
Ambitious contributor
Quote:
Originally Posted by SpOonWiZaRd View Post
Fisrt off, I wasnt talikng to the admin as I have great respect for shabbir, secondly buffer overflow or smashing the stack causes a program to crash or operate incorrectly, the aim is then to inject executable code into the running program and then to try and take control of the process. It is a very old method but it still works on some systems. All I meant by that is to try that with the facebook server which is very dangerous in my eyes as you are very likely to get caught. I hope you understand me now?
The aim isn't to inject executable code into the program. It's to overwrite a pointer/return address on the runtime stack so that it points to the memory address where your instructions are stored, so when the program pops its last method/function off the stack, it returns to your instructions and executes them instead of returning to where the method was called from.
Most buffer overflows are used for local privilege escalation, but every now and then they can be exploited remotely on web applications (like what you're talking about) or other connected programs (like p2p clients or internet browsers). They mostly work on programs that were coded in c/c++.
You don't try them on servers themselves. You look for them in applications/OS's the servers are running. Finding a site that uses a web application that is vulnerable to buffer overflow is pretty rare, so if you meant hack facebook by buffer overflow on a web application, you can pretty much forget about it. They'll have all their applications updated. If you meant root their server with a buffer overflow, that's more possible, but incredibly stupid to try without taking many precautions first, and not worth the trouble just to see who viewed your profile.
The best way to hack a social networking site is by using xss/js injections in vectors they haven't thought to filter or social engineer/keylog an admin.

@indiansword, I remember hearing about that. If I'm correct, it was not even a matter of days before it was fixed, but several hundred thousand accounts were still compromised because of it. I wonder how long it would have gone undetected if whoever found it hadn't made it so obvious.
0
indiansword's Avatar, Join Date: Oct 2008
Security Expert
the person who found i think was probably new to XSS so experienced users understood it so quickly.

The founder directly put the script to steal the cookies, instead of that he should have injected an IFRAME and hide the script and steal the cookies with it.

If he'd have done as i said then he'd have got chance to hack many more accounts and facebook people wouldnt even come to know about it.
0
SpOonWiZaRd's Avatar, Join Date: May 2007
Know what you can do.
i read at this link http://en.wikipedia.org/wiki/Stack_buffer_overflow that its possible to inject executable code with stack buffer overflow... I also heard about that XSS thing and I think it was possible to use greasemonkey in mozilla.
0
fourthdimension's Avatar, Join Date: Jan 2009
Ambitious contributor
Quote:
Originally Posted by SpOonWiZaRd View Post
i read at this link http://en.wikipedia.org/wiki/Stack_buffer_overflow that its possible to inject executable code with stack buffer overflow... I also heard about that XSS thing and I think it was possible to use greasemonkey in mozilla.
I don't see the idea of injecting executable code anywhere in that article. It just says you inject code that is designed to execute code, which is what I said above.
0
SpOonWiZaRd's Avatar, Join Date: May 2007
Know what you can do.
Quote:
Originally Posted by fourthdimension View Post
I don't see the idea of injecting executable code anywhere in that article.
this is what I qoute from that article: "inject executable code into the running program"

now I see that as injecting executable code, maybe I have it wrong... Help me on the right path as to what that means please. Don't get me wrong as I came to this site for the purpose of learning.
0
indiansword's Avatar, Join Date: Oct 2008
Security Expert
I think as far as facebook is concerned there is one more vulnerability in while adding some user as a friend to inject XSS into it. I am not really sure but i think there is some. I m in office so cant open facebook right now.
0
fourthdimension's Avatar, Join Date: Jan 2009
Ambitious contributor
Quote:
Originally Posted by SpOonWiZaRd View Post
this is what I qoute from that article: "inject executable code into the running program"

now I see that as injecting executable code, maybe I have it wrong... Help me on the right path as to what that means please. Don't get me wrong as I came to this site for the purpose of learning.
I see what you mean. The difference is that while injecting executable code by way of writing past an array can be done, it is not essential to the process, and you still need to overwrite the return address of the current method to point back to that executable code in order for it to run. In general, all you need to do in order to declare a buffer overflow is overwrite that address to point to whatever you want. For instance, you can make it point to code or a shell script you've got somewhere else on the box (assuming the vulnerable program is written in a language like C so it can access any memory address it's pointed to) and you'll still have a working bof exploit. That's why I said injecting executable code wasn't the goal of a buffer overflow. It's just a way of using a buffer overflow, not an essential component of one. Sorry if I wasn't very clear earlier.
0
SpOonWiZaRd's Avatar, Join Date: May 2007
Know what you can do.
I found something new just now, you can read about it at http://infosecurity.us/?p=4928 don't know if the vulnerability has been fixed....
0
fourthdimension's Avatar, Join Date: Jan 2009
Ambitious contributor
Nice find. December of 08? Not valid anymore. Facebook usually fixes holes within a few days of their discovery.