AMF Testing Made Easy! DeepSec 2012

6,806 views

Published on

Despite the popularity of Adobe Flex and the AMF binary protocol, testing AMF-based applications is still a manual and time-consuming activity. This research aimed at improving the current state of art, introducing a new testing approach and a new tool named Blazer. Blazer has been proven to significantly improve the coverage and the effectiveness of AMF security testing, in order to find real-life vulnerabilities including direct object reference bugs, authentication flaws, business logic abuses, SQL injections and other critical bugs. These are the things you are looking for when it comes to security testing.

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
6,806
On SlideShare
0
From Embeds
0
Number of Embeds
81
Actions
Shares
0
Downloads
79
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

AMF Testing Made Easy! DeepSec 2012

  1. AMF Testing Made Easy!DeepSec 2012 Luca Carettoni
  2. AgendaAMF specification, BlazeDS, current techniques and toolsBlazer architecture, core techniques, heuristicsTesting with Blazer Objects generation and fuzzing *DEMO*CVE-2012-3249, Fortify Privileged Information DisclosureFinding vulnerabilities with Blazer Unauthenticated methods *DEMO* SQL Injection *DEMO*What’s new in Blazer v0.3Conclusion
  3. Thanks!Matasano Security - http://matasano.com/ Part of this research was performed on behalf of Matasano SecurityDafydd Stuttard - http://www.portswigger.net/ Burp, such an amazing tool
  4. I am a doer. And you?Luca Carettoni - luca@addepar.comReinventing the Infrastructure that Powers Global WealthManagement - http://addepar.com
  5. Introduction and contextAdobe Flex Framework for building Rich-Internet-Applications Based on Adobe FlashActionScript ActionScript is an object-oriented programming languageAction Message Format (AMF) Introduced with Flash Player 6 Compact binary format to serialize ActionScript objects Fast data transfer, comparing to text-based protocols An efficient mechanism to: Save and retrieve application resources Exchange strongly typed data between client-server
  6. AMF for end-users
  7. AMF for old-school hackers
  8. AMF for web hackers
  9. AMFv0 versus AMFv3Flash Player 6 Flash Player 9Object instances can be sent by Object instances, traits and strings canreference be sent by referenceSupport for ActionScript 1.0 Support for new ActionScript 3.0 data types Support for flash.utils.IExternalizable Variable length encoding scheme for integers
  10. Adobe BlazeDSServer-side Java Remoting/Messaging technologyUsing Flex Remoting, any Flex client or AIR application can communicate withremote services and inter-exchange dataIn practice, clients invoke Java methods from classes deployed within a traditionalJ2EE application server (e.g. Apache Tomcat)A widely deployed implementationMultiple alternatives exist: Java: Adobe LiveCycle Data Service, Granite, ... Others: RubyAMF, FluorineFX, amfPHP, ...
  11. Action Message Format (AMF)AMF request/response types: CommandMessage RemotingMessage ....Client-Server communication through channels: Endpoint - http://<host>/messagebroker/amf Destination Service - echoService Operation - String echo(String input)
  12. State of art (research, tools)Testing Flash Applications, OWASP AppSec 2007 - Stefano di PaolaFlex, AMF3 And Blazeds - An Assessment, Blackhat USA 2008 - Jacob Karlsonand Kevin StadmeyerDeblaze, Defcon 17 - Jon RosePentesting Adobe Flex Applications, OWASP NY 2010 - Marcin WielgoszewskiStarting from v1.2.124, Burp Suite allows to visualize and tamper AMF trafficOther debugging tools Charles Proxy, WebScarab, Pinta AIR app, ...
  13. Testing remote methods, todayTraffic inspection and tampering Using network packet analyzers Using HTTP proxiesEnumeration (black-box testing) Retrieving endpoints, destinations and operations from the traffic Decompiling the Flex application Brute-forcing endpoint, destination and operation names
  14. Life is pain, highness.Anyone who tells you differently isselling something W. Goldman
  15. Is this the best we can do?Ideal for black-box testing, limited knowledge requiredTime consumingRequires to invoke all application functionalitiesWhat about custom objects?What about “hidden” services?How to ensure coverage?
  16. Enterprise-grade applicationsLarge attack surfaceCustom externalizable classesI’ve tested applications with more than 500 remote invokable methodsand more than 600 custom Java objects
  17. Life is not #ffffff and #000000
  18. BlazerCustom AMF message generator with fuzzing capabilitiesMethod signatures and Java reflection are used to generate dynamicallyvalid objects
  19. Blazer v0.3 - DeepSec editionGUI-based Burp Suite plugin Well-integrated so you won’t need to leave your favorite tool Burp Free and Pro With Nimbus look’n’feel tooGNU GPL softwarehttp://code.google.com/p/blazer/Start Burp with java -classpath Blazer_v0.3.jar:burp.jar burp.StartBurp andlaunch Blazer from the context menu
  20. Blazer - ArchitectureA packet generator based on Adobe AMF OpenSource librariesAn object generator to build valid application objects using “best-fit” heuristicsA lightweight fuzzing infrastructure to generate attack vectors, insert payloads within objects, manage multiple threads and monitor the progress
  21. Blazer as a “custom” AMF clientBy default, Blazer uses Burp Proxy to record requests and responses Proxy setting option availableUsing Burp, you can benefit from all built-in tools available (search, sorting, ...)
  22. It’s show time! General usage Objects generation Finding bugs with Blazer: (a) discover exposed methods
  23. CVE-2012-3249HP Fortify Software Security Center Remote Disclosure of Privileged Information Discovered in June 2012, Patched in August 2012From the advisory that I sent to HP:“An AMF endpoint used by the HP Fortify SSC web front-end allows to retrievesensitive system details, including user.dir, java.vm.name, os.name, java.vm.vendor,version, os.version, user.home, java.runtime.name, user.language, user.name,os.arch, java.runtime.version, user.country, java.version, ...”public ListResult getFederations(@PName("spec") SearchSpec spec)
  24. Testing HP Fortify SSC
  25. Blazer - Core techniquesObjects generation Java reflection “Best-fit” heuristics Randomness and permutations
  26. Blazer - Data poolsData Pools Containers for “good” user-supplied input Allow to instantiate objects and invoke methods with semantically valid data Available for all primitive types and String Require to be customized for the targetAttack vectors Relevant for String objects only Attack vector’s probability allows to unbalance the String data pool with attack vectors
  27. Blazer - Heuristic
  28. Test case: SQL injection
  29. Blazer - “Best-fit” heuristics 1/2 For example, let’s build a HashMap ObjectGenerator tCObj = new ObjectGenerator(task, null); tCObj.generate(“java.util.HashMap”); INT 1 2 3
  30. Blazer - “Best-fit” heuristics 2/2{null,null}{FOO=BAR,null} STRING FOO BAR ‘;--
  31. It’s show time, again! Finding bugs with Blazer: (b) SQL Injection
  32. Coverage and ScalabilityWith unlimited time, you could get theoretically close to 99.9% coverageIn practice, Blazer and target setup are crucial Optimize the number of permutations Balance “good” and “bad” attack vectorsLet’s do some math: Application with ~500 exposed operations 45 attack vectors (Burp’s default fuzzing list in Intruder) 35 permutations (average for big apps, experimentally determined) ~500 x 45 x 35 = ~787500 reqs
  33. So, what’s new in Blazer 0.3 ?Import of classes and Java source codeCustom Java Security Manager to protect ObjectGenerator.generate()Export functionality (AMF2XML)
  34. ConclusionsDuring real-life assessment, the approach has been proven to increasecoverage and effectivenessBlazer was designed to make AMF testing easy, and yet allowsresearchers to control fully the entire security testing processFrom 0 to message generation and fuzzing in just few clicksIf you find bugs using Blazer, either credits or buy a beerIf you find bugs in Blazer and provide a patch, I’ll buy you a beer
  35. AMF 3 Specification, Adobe Systems Inc. Referenceshttp://download.macromedia.com/pub/labs/amf/amf3_spec_121207.pdfAdobe BlazeDS Developer Guide, Adobe Systems Inc.http://livedocs.adobe.com/blazeds/1/blazeds_devguide/index.htmlBlazeDS Java AMF Client, Adobe Systems Inc.http://sourceforge.net/adobe/blazeds/wiki/Java%20AMF%20Client/Testing Flash Applications, Stefano di Paolahttp://www.owasp.org/images/8/8c/OWASPAppSec2007Milan_TestingFlashApplications.pptAdobe Flex, AMF 3 and BlazeDS: An Assessment, Jacob Karlson and Kevin Stadmeyerhttp://www.blackhat.com/presentations/bh-usa-08/Carlson_Stadmeyer/BlackHat-Flex-Carlson _Stadmeyer_vSubmit1.pdfDeblaze, Jon Rosehttp://deblaze-tool.appspot.com/Pentesting Adobe Flex Applications, Marcin Wielgoszewskihttp://blog.gdssecurity.com/storage/presentations/OWASP_NYNJMetro_Pentesting_Flex.pdfBurp Suite v1.2.14 Release Note, PortSwigger Ltd.http://releases.portswigger.net/2009/08/v1214.html
  36. Pictureshttp://www.rialitycheck.com/portfolio.cfmhttp://www.silexlabs.org/amfphp/http://cloudfront.qualtrics.com/blog/wp-content/uploads/2010/05/thumbs-up-thumbs-down_orange.jpghttp://livedocs.adobe.com/blazeds/1/blazeds_devguide/index.htmlhttp://1.bp.blogspot.com/_zMthNE3rsTA/TQjjurmc-tI/AAAAAAAAAL8/fmfG0QP6ODo/s1600/Disappointed_by_taleb83.jpghttp://www.clker.com/clipart-pointer-finger.html

×