Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Hacking The World With Flash: Analyzing Vulnerabilities in Flash and the Risk of Exploitation <ul><ul><ul><ul><ul><li>OWASP 29/2008 </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Paul Craig </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Security-Assessment.com </li></ul></ul></ul></ul></ul>
  2. 2. <ul><li>Who Am I? </li></ul><ul><ul><li>Paul Craig, Principal Security Consultant - Security-Assessment.com </li></ul></ul><ul><ul><li>Author, hacker, active security researcher. </li></ul></ul><ul><li>My Role </li></ul><ul><ul><li>Application Penetration Tester </li></ul></ul><ul><ul><li>“ I break the crack-headed ideas of developers..” </li></ul></ul><ul><li>Comments, Questions, Feedback? </li></ul><ul><ul><li>Email: [email_address] </li></ul></ul>
  3. 3. <ul><li>“ Wow, Macromedia/Adobe Flash is everywhere on the internet!” </li></ul><ul><ul><li>YouTube, FaceBook, MySpace, CNN, Ebay, etc </li></ul></ul><ul><ul><li>I Wonder, do internet users implicitly trust Flash content? </li></ul></ul><ul><li>The Litmus Test: My Wife, Kim. </li></ul><ul><ul><li>If I sent you a link to funnygame.exe, would you run it? “Nope.” </li></ul></ul><ul><ul><li>How about funnygame.swf “I would probably open that” </li></ul></ul><ul><ul><li>Flash is considered harmless, “It’s a funny game or joke” </li></ul></ul><ul><li>My Question: </li></ul><ul><ul><li>What are the incurred risks of running Flash content? </li></ul></ul><ul><ul><li>How easily can Flash be used as an attack vector? </li></ul></ul><ul><ul><li>Probability of getting pwned through a malicious SWF?? </li></ul></ul>Overview
  4. 4. Who Why How What of Flash <ul><li>Everything you wanted to know about Flash: </li></ul><ul><ul><li>Originally developed by Macromedia in early 2000’s. </li></ul></ul><ul><ul><li>Macromedia was purchased by Adobe in 2005 ($3.4 billion!) </li></ul></ul><ul><li>Flash logic is developed in ActionScript </li></ul><ul><ul><li>Originally based on ECMAScript/JavaScript. </li></ul></ul><ul><li>ActionScript API is segregated into two streams. </li></ul><ul><ul><li>Web Flash Content: </li></ul></ul><ul><ul><ul><li>ActionScript executed by a browser plug-in/ActiveX control. </li></ul></ul></ul><ul><ul><ul><li>Reduced functionality API, no access no host functionality. </li></ul></ul></ul><ul><ul><li>Standalone Flash: </li></ul></ul><ul><ul><ul><li>Compiled PE executables with embedded ActionScript player </li></ul></ul></ul><ul><ul><ul><li>.SWF played from local flash player. </li></ul></ul></ul><ul><ul><ul><li>Larger more complete API, access to host functionality. </li></ul></ul></ul>
  5. 5. Who Why How What of Flash <ul><li>ActionScript was developed from a feature in Flash 4, 7 years ago. </li></ul><ul><li>Flash 4 ‘Actions’ (Macros) expanded into ActionScript v1 in Flash 5. </li></ul><ul><ul><li>JavaScript like language with simple functionality. </li></ul></ul><ul><ul><li>Un-enforced variable type system. </li></ul></ul><ul><ul><li>Simple API for graphical manipulation. </li></ul></ul><ul><ul><li>Prototype-oriented programming (No class support). </li></ul></ul><ul><ul><li>Only 60% of API documented. </li></ul></ul><ul><li>ActionScript v2, 2003-2006 </li></ul><ul><ul><li>Flash is being used for complex applications! </li></ul></ul><ul><ul><li>Developers demanded more functionality. </li></ul></ul><ul><ul><li>Compile-time type checking implemented, strict variable typing. </li></ul></ul><ul><ul><li>Object-oriented programming support. </li></ul></ul><ul><ul><li>Flash begins to appear ‘everywhere’ </li></ul></ul>
  6. 6. Who Why How What of Flash <ul><li>ActionScript v3, 2006-Today </li></ul><ul><ul><li>Compile-time and runtime type validation </li></ul></ul><ul><ul><li>Support for packages, namespaces and regular expressions. </li></ul></ul><ul><ul><li>JIT compilation for new Flash Virtual Machine (AMV2) </li></ul></ul><ul><ul><li>Binary sockets (Connect to a port, send/retrieve data) </li></ul></ul><ul><ul><li>10% of API is still undocumented! </li></ul></ul><ul><li>ActionScript has matured into a flexible/powerful language. </li></ul><ul><ul><li>Supported by 850 million internet connected desktops. </li></ul></ul><ul><ul><li>Cross-platform (Windows, OSX, Linux, HP-UX, PPC) </li></ul></ul><ul><li>“ I would probably open that” </li></ul><ul><ul><li>“ I probally shouldn’t, aye” </li></ul></ul>
  7. 7. Who Why How What of Flash <ul><li>Flash is a Powerful Attack Vector. </li></ul><ul><ul><li>850 million devices which support a language (ActionScript) </li></ul></ul><ul><ul><li>Language first developed by Macromedia, and now Adobe. </li></ul></ul><ul><ul><ul><li>Vast history of Adobe/Macromedia security issues. </li></ul></ul></ul><ul><ul><ul><li>Adobe Acrobat exploit anyone? </li></ul></ul></ul><ul><li>ActionScript is complex. </li></ul><ul><ul><li>Grown immensely, very quickly. </li></ul></ul><ul><ul><li>Quickly implemented features tend to contain bugs, exploits. </li></ul></ul><ul><ul><li>Do Adobe follow a decent secure coding methodology? </li></ul></ul><ul><ul><li>Adobe make apps like Photoshop do they take internet security seriously? </li></ul></ul><ul><li>Flash Plug-in is Critical Browser Infrastructure. </li></ul><ul><ul><li>One zero day in Flash, 850 million exploitable devices. </li></ul></ul>
  8. 8. Exploits in Flash <ul><li>Golden Rules of Security: </li></ul><ul><ul><li>#1 – Software Developers Always Make Mistakes. </li></ul></ul><ul><ul><li>#2 – Mistakes Get Exploited. </li></ul></ul><ul><ul><li>#3 – Developers tend to make the SAME mistake more than once. </li></ul></ul><ul><ul><li>#4 – See #1 </li></ul></ul><ul><ul><li>A History of Flash Exploits (2001-2008) </li></ul></ul><ul><ul><ul><li>Look for common trends in Flash exploits over the last 7 years. </li></ul></ul></ul><ul><ul><ul><li>Predict the future of Flash security, what will 2008 bring? </li></ul></ul></ul><ul><ul><ul><li>Likelihood of malicious Flash content. </li></ul></ul></ul><ul><ul><ul><li>Find new vulnerabilities in Flash. </li></ul></ul></ul><ul><ul><ul><ul><li>Same bug, different section of Flash. </li></ul></ul></ul></ul>
  9. 9. Exploits in Flash <ul><li>2002: First Major Flash Security Advisory’s </li></ul><ul><ul><li>Standalone Macromedia Flash Player 5.0 allows remote attackers to save arbitrary files and programs via a .SWF file containing the undocumented &quot;save&quot; FSCommand. (CVE-2002-0476) </li></ul></ul><ul><ul><li>Standalone Macromedia Flash Player 5.0 before 5,0,30,2 allows remote attackers to execute arbitrary programs via a .SWF file containing the &quot;exec&quot; FSCommand. (CVE-2002-0477) </li></ul></ul><ul><ul><li>Undocumented API functionality to write, or execute a file. </li></ul></ul><ul><ul><ul><li>FSCommand(&quot;exec&quot;,&quot;rundll user.exe,exitwindows&quot;); </li></ul></ul></ul><ul><ul><ul><li>FSCommand(&quot;save&quot;,“C:ilename.txt&quot;) </li></ul></ul></ul><ul><ul><li>FSCommand function only present in the standalone player API. </li></ul></ul><ul><ul><li>Web browser unaffected. </li></ul></ul>
  10. 10. Exploits in Flash <ul><li>Flash ActiveX v6.0.23 Parameter Stack Overflow (CVE-2002-0605) </li></ul><ul><ul><li>Long ‘movie’ tag parameter. </li></ul></ul><ul><ul><li><param name=movie value=“AAAAAAAAAAAAAAAAAAAA....&quot;> </li></ul></ul><ul><li>Heap Overflow in malformed ‘length’ SWF header. (CVE-2002-0846) </li></ul><ul><ul><li>SWF header contains a ‘length’ value of the .SWF file. </li></ul></ul><ul><ul><li>Define length shorter than the .SWF file, Malloc() overflow. </li></ul></ul><ul><ul><li>User supplied value un-validated and used directly in memory allocation! </li></ul></ul><ul><li>Multiple overflows Through Malformed SWF Headers (CVE-2002-1382) </li></ul><ul><ul><li>Three SWF header values vulnerable to memory corruption. </li></ul></ul><ul><ul><li>Same bug, different variable, three months later. </li></ul></ul><ul><ul><li>Flash appears to rely on user supplied values for memory length calculations. </li></ul></ul>
  11. 11. Exploits in Flash <ul><li>Bypass Same Domain Policy (CVE-2002-1467) </li></ul><ul><ul><li>Read arbitrary files from disk using Flash. </li></ul></ul><ul><ul><li>Flash security prohibits .SWF content from one site, accessing content from another. </li></ul></ul><ul><ul><ul><li>Flash will follow a 302 HTTP redirect to file:// </li></ul></ul></ul><ul><ul><ul><li>&quot;file://&quot; base in a web document </li></ul></ul></ul><ul><li>Flash Denial of Service (CVE-2002-1625) </li></ul><ul><ul><li>Flash Player 6 never terminates a connection to a remote website when using. </li></ul></ul><ul><ul><ul><li>loadMovie() </li></ul></ul></ul><ul><ul><ul><li>loadSound () </li></ul></ul></ul><ul><ul><li>First Flash DOS tool. loadMovie(“http://www.blah.com”) Loop. </li></ul></ul><ul><ul><li>Dumb mistakes… </li></ul></ul>
  12. 12. Exploits in Flash <ul><li>2003: First Flash Cross-Site Scripting Bug </li></ul><ul><ul><li>XSS vulnerability in Macromedia Flash ad user tracking capability </li></ul></ul><ul><ul><li>Allows remote attackers to insert arbitrary Javascript via the ClickTAG field. </li></ul></ul><ul><ul><li>ClickTAG used to notify a website prior to Flash execution. </li></ul></ul><ul><ul><li>http://www.example.com/victim.swf?clickTag=http://adnetwork.com/tracking?example.com </li></ul></ul><ul><ul><li>http://www.example.com/victim.swf?clickTag=javascript:alert('aaa'); </li></ul></ul><ul><ul><li>Flash developers appear to be unaware of Cross Site Scripting </li></ul></ul><ul><ul><li>Basic XSS attack vector, nothing fancy here.. </li></ul></ul><ul><ul><li>Quick pre-release code analysis would have found this. </li></ul></ul><ul><ul><li>Or a secure coding methodology… </li></ul></ul>
  13. 13. Exploits in Flash <ul><li>Flash v6 ActiveX Malformed SWF Header (CVE-2005-2628) </li></ul><ul><ul><li>Malformed SWF header with a modified frame type identifier. </li></ul></ul><ul><ul><li>Flash still fails to validate SWF file format. </li></ul></ul><ul><ul><li>Now 3 years after original .SWF file format bug found. </li></ul></ul><ul><li>Multiple unspecified vulnerabilities in Adobe Flash Player (CVE-2006-0024) </li></ul><ul><ul><li>‘ Remote attackers able to execute arbitrary code via a specially crafted SWF file.’.. And again.. </li></ul></ul><ul><li>Stack overflow in Adobe Flash Player and earlier (CVE-2006-3311) </li></ul><ul><ul><li>Execute arbitrary code via a long, dynamically created string in a SWF movie. </li></ul></ul><ul><ul><li>Stack overflow in the ActionScript 2 API. </li></ul></ul>
  14. 14. Exploits in Flash <ul><li>Malformed SWF File in Flash 8.0.24 (CVE-2006-3587) </li></ul><ul><ul><li>Malformed .SWF file causes memory access violations. </li></ul></ul><ul><ul><li>More malformed flash.. </li></ul></ul><ul><li>Malformed SWF file vulnerability in Flash (CVE-2006-3588) </li></ul><ul><ul><li>Allows remote attackers to cause a browser crash via a malformed, compressed .SWF file. </li></ul></ul><ul><li>Flash ActiveX Flash8b.ocx Browse Crash </li></ul><ul><ul><li>Long string in the Flash8b.AllowScriptAccess method. </li></ul></ul><ul><ul><li>Second Flash ActiveX method to contain a stack overflow. </li></ul></ul>
  15. 15. Exploits in Flash <ul><li>CRLF injection vulnerability in Flash Player 9.0.16(CVE-2006-5330) </li></ul><ul><ul><li>Remote attackers can modify HTTP headers of client requests and conduct HTTP Request Splitting attacks via CRLF injection in ActionScript functions. </li></ul></ul><ul><ul><ul><li>XML.addRequestHeader(“aa%0D%0AFoo: bar”) ; Adds header Foo: bar </li></ul></ul></ul><ul><ul><ul><li>XML.contentType(“aa%0D%0AFoo: bar”); Adds header Foo: bar </li></ul></ul></ul><ul><ul><li>Flash does not validate user supplied content for CRLF. </li></ul></ul><ul><ul><li>Flash does not have any special character blacklist </li></ul></ul><ul><ul><li>Special chars and binary data are often accepted. </li></ul></ul><ul><li>Malformed SWF File (CVE-2007-0071) Adobe Flash Player </li></ul><ul><ul><li>Allows remote attackers to execute arbitrary code via unknown vectors related to &quot;input validation errors.“ </li></ul></ul><ul><ul><li>Another SWF with a modified header value. </li></ul></ul>
  16. 16. Exploits in Flash <ul><li>Insufficient Input Validation Allows CSRF (CVE-2007-3457) </li></ul><ul><ul><ul><li>Flash insufficiently validates HTTP Referrer headers for CRLF. (AGAIN!) </li></ul></ul></ul><ul><ul><ul><li>Allow remote attackers to conduct a CSRF attack via a crafted SWF file. </li></ul></ul></ul><ul><ul><ul><li>2 nd CRLF bug, 2 nd HTTP Referrer bug! </li></ul></ul></ul><ul><ul><li>Flash Player 9.0.48 HTTP Request Splitting Attack (CVE-2007-6245) </li></ul></ul><ul><ul><ul><li>Remote attackers can modify HTTP headers for client requests and conduct HTTP Request Splitting attacks. </li></ul></ul></ul><ul><ul><ul><li>3 rd CRLF bug, 3 rd Header bug. </li></ul></ul></ul><ul><ul><li>Flash Player Malformed SWF File (CVE-2007-6019) </li></ul></ul><ul><ul><ul><li>Improper object instantiation allows remote code execution. </li></ul></ul></ul><ul><ul><ul><li>Modified DeclareFunction2 ActionScript tag. </li></ul></ul></ul><ul><ul><ul><li>Access an object before it was properly instantiated. </li></ul></ul></ul>
  17. 17. Exploits in Flash <ul><ul><li>Multiple Cross Site Scripting Vulnerabilities in Flash ActiveX 9 </li></ul></ul><ul><ul><ul><li>Remote attackers can inject arbitrary web script or HTML via: </li></ul></ul></ul><ul><ul><ul><ul><li>navigateToURL(), asFunction() </li></ul></ul></ul></ul><ul><ul><ul><li>NavigateToURL, takes two arguments, URL, browser frame. </li></ul></ul></ul><ul><ul><ul><li>NavigateToURL accepts javascript: URI’s and arbitrary browser frames. </li></ul></ul></ul><ul><ul><ul><li>JavaScript executes in security context of named frame! </li></ul></ul></ul><ul><ul><ul><li>Should execute in the security context of the page that embedded the SWF! </li></ul></ul></ul><ul><ul><ul><ul><li>Evil.swf advert located on myadverts.co.nz is served on mybank.co.nz </li></ul></ul></ul></ul><ul><ul><ul><ul><li>JavaScript within evil.swf can execute in the context of MyBank.co.nz </li></ul></ul></ul></ul><ul><ul><ul><ul><li>All your money is belong to me? </li></ul></ul></ul></ul>
  18. 18. Exploits in Flash <ul><ul><li>Interaction Error Between Adobe Flash and UPnP Services (CVE-2008-1654) </li></ul></ul><ul><ul><ul><li>Flash can be used to send SOAP XML requests to arbitrary addresses, including internal addresses.  </li></ul></ul></ul><ul><ul><ul><li>How about reconfiguring your modem, using SOAP over un-authenticated UPnP functionality? </li></ul></ul></ul><ul><ul><li>Example: http://www.gnucitizen.org/blog/hacking-the-interwebs/ </li></ul></ul><ul><ul><ul><li>“ Exploiting the BT Home Hub with Flash” </li></ul></ul></ul><ul><ul><ul><li>Reconfiguring the BT Home hub primary DNS server remotely through the Flash player, over UPnP. </li></ul></ul></ul><ul><ul><li>2Wire Modem DDOS Virus </li></ul></ul><ul><ul><ul><li>Reconfigure modem to send 10,000 ‘test’ pings to www.cnn.com </li></ul></ul></ul><ul><ul><li>Flash lacks cohesive security ‘zones’ and network sandboxing. </li></ul></ul>
  19. 19. Exploits in Flash <ul><ul><li>Mark Dowd – Weaponised Flash NULL Pointer Attack. </li></ul></ul><ul><ul><ul><li>25 page paper on exploiting Flash (worth reading, if your into it) </li></ul></ul></ul><ul><ul><ul><ul><li>http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf </li></ul></ul></ul></ul><ul><ul><ul><ul><li>‘ The Inhuman Flash Exploit’ </li></ul></ul></ul></ul><ul><ul><ul><li>Un-validated user supplied value used as memory allocation size. </li></ul></ul></ul><ul><ul><ul><li>NULL pointer returned when allocation size is greater than 2gig. </li></ul></ul></ul><ul><ul><ul><li>Returned value + user supplied offset used in memory write. </li></ul></ul></ul><ul><ul><ul><li>Append malicious ActionScript byte code to valid Flash byte code. </li></ul></ul></ul><ul><ul><ul><li>Bypass internal Flash verifier. </li></ul></ul></ul><ul><ul><ul><li>Native code execution inside the ActionScript VM. </li></ul></ul></ul><ul><ul><ul><li>Internet Explorer, FireFox, Vista, XP = owned. </li></ul></ul></ul>
  20. 20. Statistical Analysis of Flash <ul><li>Brief Highlights of Flash Security Advisories. </li></ul><ul><ul><li>Too many advisories to detail each one. </li></ul></ul><ul><ul><li>54 advisories since 2001 </li></ul></ul><ul><ul><li>2003-2006 ActionScript 2 </li></ul></ul><ul><ul><li>2006-Today ActionScript 3 </li></ul></ul><ul><ul><li>More Functionality = More Exploits </li></ul></ul>
  21. 21. Statistical Analysis of Flash <ul><li>Most Common Bugs? </li></ul><ul><ul><li>File Format Validation = Malformed Flash Files </li></ul></ul><ul><ul><li>Browser Input Validation = XSS, CSRF, etc </li></ul></ul><ul><ul><li>ActionScript API = Native Flash Functionality </li></ul></ul><ul><ul><li>SandBox Violation = Escaping The Flash SandBox </li></ul></ul>
  22. 22. Statistical Analysis of Flash <ul><li>How Many Of Those Bugs Can Be Used To Execute Code? </li></ul><ul><ul><li>48% of Flash vulnerabilities have been exploited to gain code execution! </li></ul></ul><ul><ul><li>Weaponised Flash exploits not uncommon. </li></ul></ul><ul><ul><li>Flash is not compiled with ASLR /DYNAMICBASE support. </li></ul></ul>
  23. 23. Exploits In Flash <ul><li>Common trends: </li></ul><ul><li>Flash has poor SWF file format validation. </li></ul><ul><ul><li>User supplied values frequently used in memory calculations. </li></ul></ul><ul><ul><li>Majority of vulnerabilities stem from file format validation bugs. </li></ul></ul><ul><ul><li>Malicious Flash is most likely to be ‘malformed’. </li></ul></ul><ul><li>Adobe/Macromedia have a poor Security Development LifeCycle. </li></ul><ul><ul><li>Flash contains basic vulnerabilities, XSS, CRLF, Stack Overflows </li></ul></ul><ul><ul><li>Vulnerabilities repeat themselves, often! Adobe do not learn. </li></ul></ul><ul><ul><li>ActionScript API is being used natively as an attack vector. </li></ul></ul><ul><ul><li>Flash security sandbox has been escaped three times! </li></ul></ul><ul><li>Flash ActiveX plug-in has the most issues. </li></ul><ul><ul><li>Flash security flaws have increased drastically. </li></ul></ul><ul><ul><li>Almost half of vulnerabilities allow code execution! </li></ul></ul>
  24. 24. Exploits In Flash <ul><li>Flash ActiveX Plug-in has the most issues. </li></ul><ul><ul><li>Twice as many as the FireFox plugin. </li></ul></ul><ul><li>Flash Security Flaws have Increased Drastically. </li></ul><ul><ul><li>Almost half of vulnerabilities allow code execution! </li></ul></ul><ul><ul><li>New method of native Flash VM code execution (Mark Dowd’s) </li></ul></ul><ul><li>2008? </li></ul><ul><ul><li>ActionScript 4 is likely 2 years away (Based on past history) </li></ul></ul><ul><ul><li>Flash will grow, more functionality, bigger API. </li></ul></ul><ul><ul><li>Competing with Silverlight (Microsoft’s Flash) </li></ul></ul><ul><ul><li>Expect more Flash bugs. </li></ul></ul>
  25. 25. Exploits In Flash <ul><li>Possible Exploitation Scenario. </li></ul><ul><ul><li>Evil Hacker finds .SWF file format validation bug. </li></ul></ul><ul><ul><li>Stack overflow, code execution. </li></ul></ul><ul><li>The Exploit: </li></ul><ul><ul><li>Legitimate Flash ‘advert’ created with exploit code. </li></ul></ul><ul><ul><li>Exploit only triggered if(date > two weeks time) </li></ul></ul><ul><ul><li>Evil Hacker buys $250 of advertising for malicious SWF file. </li></ul></ul><ul><li>You: </li></ul><ul><ul><li>Monday morning, you visit xyznews.co.nz, Flash anner adverts. </li></ul></ul><ul><ul><li>Today is > two weeks since campaign launched. </li></ul></ul><ul><ul><li>Exploit code is served from Flash advert, remote code exec. </li></ul></ul><ul><ul><li>Everything looks normal, nothing crashes, but your owned. </li></ul></ul><ul><ul><li>Case of the Monday’s? </li></ul></ul>
  26. 26. Exploits In Flash <ul><li>Recommendations: </li></ul><ul><ul><li>Keep Flash up to date, updates fix critical bugs. </li></ul></ul><ul><ul><li>Disable Flash on critical systems. </li></ul></ul><ul><ul><li>Implement browser virtualisation. </li></ul></ul><ul><ul><ul><li>Risk mitigation. </li></ul></ul></ul><ul><ul><ul><li>FireFox/IE inside VMWare. </li></ul></ul></ul><ul><ul><li>Be weary of arbitrary Flash content. </li></ul></ul><ul><ul><li>Flash Virus/Worm is just a matter of time. </li></ul></ul>