Meta's SparkAR RCE Via ZIP Path Traversal

Hi Everyone, As promised this is the write-up for the Spark AR RCE I discovered a while ago. It started when I stumbled upon an article from the Facebook bug bounty program where they mentioned increased payout for binary reports. 

A vulnerability that results in remote code execution when running a Spark AR effect, either through a bug that exploits the Hermes JavaScript VM or the Spark AR platform directly. Providing a full proof of concept that demonstrates the remote code execution would result in an average payout of $40,000 (including the proof of concept bonus).
This seemed interesting, back then I thought that the increased payout (the $40 K) was for client-side vulnerabilities as well, I was wrong because Facebook said that this payout was for issues that execute directly on their infrastructure but that’s okay because it was fun exploiting this issue.

Enough with the stories, let’s dive into the vulnerability itself, the main issue was a path traversal when parsing arprojpkg files that affected SparkAR Studio.

This post was created with our nice and easy submission form. Create your post!

What do you think?

Posted by SH

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

Bypassing CDN WAF's with Alternate Domain Routing

CVE-2022-21907 HTTP Protocol Stack Remote Code Execution Vulnerability