[Facebook | Aol] Internal ip disclosure that really hurts.

There are a lot of factors who can disclose an internal ip address. All of these factors are groupped in the lowsest vulnerability risk category because they do not expose an organisation at imminent risk. Also, there are a lot of ways that a penetration tester can find an internal ip disclosure. Some of them include source code comments, help documentation and dns resolutions.

The most interesting part about internal ip disclosure is when it comes with an interactive way. A way that a malicious user can use in order to exploit clients' browser and/or deploy phishing attacks.

Imagine internal ip disclosure happening with a very attractive interactive way. Imagine an internal ip disclosure happening with a very attractive domain resolution.


There is a private ip disclosure vulnerability affecting two of facebook subdomains (fb.com). There are public dns records that they disclose internal ip addresses.More specifically, the subdomain accounts.fb.com points to 192.168.57.10 and the chat.fb.com points to 192.168.24.122.

There are two main points about this ip disclosure.

This may disclose information about the IP addressing scheme of the internal network. This information can be used to conduct further attacks.
Internal ip scheme is very important piece of information that attackers and malicious users may use it to build trojans and do social engineering attacks to the corporate environment.

Other than this, an attacker may conduct a phishing attack on local networks by hosting phishing facebook login pages at '192.168.57.10' and point the users to the already trusted "accounts.fb.com". So, the users will be pointed to the local login page hosted on 192.168.57.10 and the credentials may be stolen. Except phishing attacks, browser exploitation and social engineering are also possible.

The impact of all these actions is getting worse if we add the reputation issues of the attack to the mentioned actions.

Social engineering ideas:

How cool is that new awesome Java Facebook Client?

Another idea:

How cool is to simulate the facebook login process and built a web chat client that will properly work by forwarding the messages from the local server to the facebook servers?

Evil.

Scary.

Reproduction Instructions / Proof of Concept: If we try to resolve the accounts.fb.com and chat.fb.com we are getting the following output:

Note: Public Google dns servers are used to check the dns resolution

nslookup  
> server 8.8.8.8
Default server: 8.8.8.8  
Address: 8.8.8.8#53  
> accounts.fb.com
Server:        8.8.8.8  
Address:    8.8.8.8#53

Non-authoritative answer:  
Name:    accounts.fb.com  
Address: 192.168.57.10  
> chat.fb.com
Server:        8.8.8.8  
Address:    8.8.8.8#53

Non-authoritative answer:  
Name:    chat.fb.com  
Address: 192.168.24.122  

Facebook responded with this:

Thanks for your submission. We don't consider our internal IP space to be a secret and thus do not consider this to be a risk.

Thanks,

Security  
Facebook  

Another internal ip disclosure happens to the subdomain bart.aol.com that points to 172.21.190.201.

Mitigation: While you can use that subdomains to resolve to the internal ips in any internal dns servers, it is preferred to not resolve the internal ips to the public dns servers.

Disclaimer:

Any actions and/or activities related to the material contained within this post is solely your responsibility. The misuse of the information in this post can result in criminal charges brought against the person in question. The author of this lecture will not be held responsible any criminal charges be brought against individuals misusing the information to break the law.