Escolar Documentos
Profissional Documentos
Cultura Documentos
2007 Security-Assessment.com
Who Am I?
Paul Craig, Principal Security Consultant - Security-Assessment.com Author, hacker, active security researcher.
My Role
Email: paul.craig@security-assessment.com
2007 Security-Assessment.com
YouTube, FaceBook, MySpace, CNN, Ebay, etc I Wonder, do internet users implicitly trust Flash content?
The Litmus Test: My Wife, Kim.
If I sent you a link to funnygame.exe, would you run it? Nope. How about funnygame.swf I would probably open that Flash is considered harmless, Its a funny game or joke
My Question:
What are the incurred risks of running Flash content? How easily can Flash be used as an attack vector? Probability of getting pwned through a malicious SWF??
2007 Security-Assessment.com
Who Why How What of Flash Everything you wanted to know about Flash:
Originally developed by Macromedia in early 2000s. Macromedia was purchased by Adobe in 2005 ($3.4 billion!)
Flash logic is developed in ActionScript
Who Why How What of Flash ActionScript was developed from a feature in Flash 4, 7 years ago. Flash 4 Actions (Macros) expanded into ActionScript v1 in Flash 5.
JavaScript like language with simple functionality. Un-enforced variable type system. Simple API for graphical manipulation. Prototype-oriented programming (No class support). Only 60% of API documented.
ActionScript v2, 2003-2006
Flash is being used for complex applications! Developers demanded more functionality.
Compile-time and runtime type validation Support for packages, namespaces and regular expressions. JIT compilation for new Flash Virtual Machine (AMV2) Binary sockets (Connect to a port, send/retrieve data) 10% of API is still undocumented!
ActionScript has matured into a flexible/powerful language.
Supported by 850 million internet connected desktops. Cross-platform (Windows, OSX, Linux, HP-UX, PPC)
I would probably open that
850 million devices which support a language (ActionScript) Language first developed by Macromedia, and now Adobe. Vast history of Adobe/Macromedia security issues. Adobe Acrobat exploit anyone?
ActionScript is complex.
#1 Software Developers Always Make Mistakes. #2 Mistakes Get Exploited. #3 Developers tend to make the SAME mistake more than once. #4 See #1
A History of Flash Exploits (2001-2008) Look for common trends in Flash exploits over the last 7 years.
2007 Security-Assessment.com
to save arbitrary files and programs via a .SWF file containing the undocumented "save" FSCommand. (CVE-2002-0476) remote attackers to execute arbitrary programs via a .SWF file containing the "exec" FSCommand. (CVE-2002-0477)
FSCommand("exec","rundll\tuser.exe,exitwindows");
FSCommand("save",C:\\filename.txt") FSCommand function only present in the standalone player API.
2007 Security-Assessment.com
Read arbitrary files from disk using Flash. Flash security prohibits .SWF content from one site, accessing
content from another.
loadMovie() loadSound () First Flash DOS tool. loadMovie(http://www.blah.com) Loop. Dumb mistakes
2007 Security-Assessment.com
XSS vulnerability in Macromedia Flash ad user tracking capability Allows remote attackers to insert arbitrary Javascript via the
ClickTAG field.
http://www.example.com/victim.swf?clickTag=javascript:alert('aaa');
Flash developers appear to be unaware of Cross Site Scripting Basic XSS attack vector, nothing fancy here.. Quick pre-release code analysis would have found this. Or a secure coding methodology
2007 Security-Assessment.com
Malformed SWF header with a modified frame type identifier. Flash still fails to validate SWF file format. Now 3 years after original .SWF file format bug found.
Multiple unspecified vulnerabilities in Adobe Flash Player 8.0.22.0 (CVE-2006-0024)
Malformed .SWF file causes memory access violations. More malformed flash..
Malformed SWF file vulnerability in Flash 8.0.24.0 (CVE-2006-3588)
Long string in the Flash8b.AllowScriptAccess method. Second Flash ActiveX method to contain a stack overflow.
2007 Security-Assessment.com
and conduct HTTP Request Splitting attacks via CRLF injection in ActionScript functions.
Flash does not validate user supplied content for CRLF. Flash does not have any special character blacklist
Exploits in Flash Insufficient Input Validation Allows CSRF (CVE-2007-3457) Flash insufficiently validates HTTP Referrer headers for CRLF. (AGAIN!) Allow remote attackers to conduct a CSRF attack via a crafted SWF file. 2nd CRLF bug, 2nd HTTP Referrer bug! Flash Player 9.0.48 HTTP Request Splitting Attack (CVE-2007-6245) Remote attackers can modify HTTP headers for client requests and conduct HTTP Request Splitting attacks. 3rd CRLF bug, 3rd Header bug. Flash Player Malformed SWF File (CVE-2007-6019)
Exploits in Flash Multiple Cross Site Scripting Vulnerabilities in Flash ActiveX 9 Remote attackers can inject arbitrary web script or HTML via: navigateToURL(), asFunction() NavigateToURL, takes two arguments, URL, browser frame. NavigateToURL accepts javascript: URIs and arbitrary browser frames. JavaScript executes in security context of named frame! Should execute in the security context of the page that embedded the SWF! Evil.swf advert located on myadverts.co.nz is served on mybank.co.nz
Exploits in Flash Interaction Error Between Adobe Flash and UPnP Services (CVE2008-1654) Flash can be used to send SOAP XML requests to arbitrary addresses, including internal addresses. How about reconfiguring your modem, using SOAP over unauthenticated UPnP functionality? Example: http://www.gnucitizen.org/blog/hacking-the-interwebs/ Exploiting the BT Home Hub with Flash
Reconfiguring the BT Home hub primary DNS server remotely through the Flash player, over UPnP.
2Wire Modem DDOS Virus Reconfigure modem to send 10,000 test pings to www.cnn.com Flash lacks cohesive security zones and network sandboxing.
2007 Security-Assessment.com
Exploits in Flash Mark Dowd Weaponised Flash NULL Pointer Attack. 25 page paper on exploiting Flash (worth reading, if your into it) http://documents.iss.net/whitepapers/IBM_XForce_WP_final.pdf
Statistical Analysis of Flash Brief Highlights of Flash Security Advisories. Too many advisories to detail each one. 54 advisories since 2001
= Malformed Flash Files = Native Flash Functionality = Escaping The Flash SandBox
2007 Security-Assessment.com
Statistical Analysis of Flash How Many Of Those Bugs Can Be Used To Execute Code?
48% of Flash vulnerabilities have been exploited to gain code execution! Weaponised Flash exploits not uncommon. Flash is not compiled with ASLR /DYNAMICBASE support.
2007 Security-Assessment.com
Exploits In Flash Common trends: Flash has poor SWF file format validation.
User supplied values frequently used in memory calculations. Majority of vulnerabilities stem from file format validation bugs. Malicious Flash is most likely to be malformed.
Adobe/Macromedia have a poor Security Development LifeCycle.
Flash security flaws have increased drastically. Almost half of vulnerabilities allow code execution!
2007 Security-Assessment.com
2007 Security-Assessment.com
Evil Hacker finds .SWF file format validation bug. Stack overflow, code execution.
The Exploit:
Legitimate Flash advert created with exploit code. Exploit only triggered if(date > two weeks time) Evil Hacker buys $250 of advertising for malicious SWF file.
You:
Monday morning, you visit xyznews.co.nz, Flash anner adverts. Today is > two weeks since campaign launched.
Keep Flash up to date, updates fix critical bugs. Disable Flash on critical systems. Implement browser virtualisation. Risk mitigation. FireFox/IE inside VMWare.
2007 Security-Assessment.com