Remote Code Execution in Facebook Messenger

Remote code execution though vulnerability in Facebook Messenger for Windows (June 2024) Skip to main content Remote code execution though vulnerability in Facebook Messenger for Windows (June 2024) Get link Facebook X Pinterest Email Other Apps By Dzmitry - September 02, 2025 This short writeup describes vulnerability found in Facebook Messenger for Windows in June 2024. It was reported during Meta BountyCon hacking event and helped me to climb on 1st place of results table. Messenger bug Meta introduced encrypted chats between Messenger users. It was possible to select friend and start encrypted chat with him (similar like we can do in Telegram - select user and start encrypted chat). I played with Messenger for Android trying to send attachments to victim on Windows in encrypted chat. Because chat is encrypted everything is verified on recipient side: client app must validate all data received from thirdparties and we can catch something interesting there. I've sent attachment with ` %2e%2e%5c ` symbols and Messenger for Windows placed my attachment by next path: C:\\Users\\vulna\\AppData\\Local\\Messenger\\TamStorage\\media_bank\\AdvancedCrypto\\100027775233281\\persistent\\da7a85eb-aac7-46da-9cba-7a2f38f88e08\\2024\\06\\03\\20240603T091559605.att.04484a15-4cbf-4a1d-9e65-a48c59dcc7a2\\..\\test.bat Path traversal bug which triggers by sending encrypted chat message to victim. If victim can receive messages from you, you can place file into any location on victim's Windows machine via Messenger. No! Windows path length limitation Unfortunately, it was not possible to place file at any location because Windows has path length limit - 256 symbols! C:\Users\vulna\AppData\Local\Messenger\TamStorage\media_bank\AdvancedCrypto\100027775233281\persistent\da7a85eb-aac7-46da-9cba-7a2f38f88e08\2024\06\03\20240603T091559605.att.04484a15-4cbf-4a1d-9e65-a48c59dcc7a2\ It is 212 symbols. We have 44 available. C:\Users\vulna\AppData\Local\Messenger\TamStorage\media_bank\AdvancedCrypto\100027775233281\persistent\da7a85eb-aac7-46da-9cba-7a2f38f88e08\2024\06\03\20240603T091559605.att.04484a15-4cbf-4a1d-9e65-a48c59dcc7a2\..\..\..\..\..\..\..\..\..\..\..\ -> C:\Users\vulna\AppData\Local\ 244 symbols, only 12 are left. So, we have only 12 symbols and no file rewrites. What can we do? ` C:\Users\vulna\AppData\Local\ ` folder with a lot of other apps. For example Viber, Slack. Making code execution The solution: DLL Hijacking! I've read very interesting article ( https://itm4n.github.io/windows-dll-hijacking-clarified/ ) about DLL Hijacking and found that Viber and Slack apps are vulnerable for such kind of attack. Viber tried (and may be tries) to load `qwave.dll` file from ` C:\Users\vulna\AppData\Local\Viber `. This file did't existed in that folder. ` ..\qwave.dll ` - 12 symbols! A ttack steps Sending file with name: ` %2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cViber%5cqwave.dll ` The file is going into ` c:\Users\vulna\AppData\Local\Viber\qwave.dll ` When Viber is launching it starts executing ` c:\Users\vulna\AppData\Local\Viber\qwave.dll ` Remote code execution without user interaction (if we have ability to send messages to victim)! Report timeline 03.06.2024: Report with path traversal bug was sent. Meta responded that if you can demonstrate code execution than it may significantly increase reward. 05.06.2024: Code execution through Viber was submitted to Meta. 08.08.2024: Reward 34500$ 08.08.2024: I've sent why I think that reward is not correlates with rewards table described on https://bugbounty.meta.com/payout-guidelines/mobile-rce/ 23.08.2024: Reward 75000 + bonuses: total amount 111750$ Test environment Attacker: Pixel Fold, Android 14, security patch level 2024-04-05, fingerprint: google/felix/felix:14/AP1A.240405.002.A1/11583385:user/release-keys, (com.facebook.orca): versionName=459.1.0.57.108. Victim: Windows 11 Home 22H, 22621.2861 Messenger for Windows v. 212.1.0.15.233 Attack demonstration video https://youtu.be/wvywPUdTIPA?si=rPCoGAukL80pv5Fw Get link Facebook X Pinterest Email Other Apps Popular posts from this blog Facebook Messenger server random memory exposure through corrupted GIF image By Dzmitry - March 06, 2019 Intro Year ago, in February 2018, I was testing Facebook Messenger for Android looking how it works with corrupted GIF images. I was inspired by Imagemagick "uninitialized memory disclosure in gif coder" bug and PoC called "gifoeb" (cool name for russian speakers). I found Messenger app only crashes with images generated by "gifoeb" tool with Nullpointer dereferrence (Facebook did't awarded bounty for DoS in Facebook Messenger for Android). Ok. I thought: what is GIF image format and how it looks, how I can generate my own image? (spoiler: 10K$ bug in Facebook Messenger for Web, but theory first) Read more React debug.keystore key was trusted by Meta(Facebook) which caused to Instagram account takeover by malicious apps. By Dzmitry - July 19, 2022 App Signing All Android applications should be signed with keys generated by app developers ( https://source.android.com/security/apksigning ). When application signed with specific key we can verify that this app was not modified by thirdparty. Also it is possible to communicate between apps (IPC) and verify app identity by it key signature. If caller app has verified signature than we can allow it to do some restricted actions, for example we can return some confidential information to it like user information. This keys should be confidential and not be exposed outside. Bug Description I played with Facebook Sdk for Android and noticed one thing. This api call is not validates package name when you authorize your client_id ``` https://m.facebook.com/dialog/oauth?android_key= Xo8WBi6jzSxKDVR4drqm84yr9iU &calling_package_key=com.vulnano.android.facebook.sdkat&client_id=124024574287414&display=touch&facebook_sdk_version=8.1.0&redirect_uri=fbconnect%3A%2F%2Fsuc... Read more