For the sake of precision, this is a cross-post of the NibbleSec post.
Although Adobe patched the bug in 2011, it is still possible to exploit vulnerable SWF applications in fully patched web browsers with the latest version of Adobe Flash Player; successful exploitation leads to Same-Origin Request Forgery and Cross-Site Content Hijacking.
The particularity of (CVE-2011-2461) is that vulnerable Flex applications have to be recompiled or patched;
even with the most recent Flash player, vulnerable Flex applications
can be exploited. As long as the SWF file was compiled with a vulnerable
Flex SDK, attackers can still use this vulnerability against the latest
web browsers and Flash plug-in.
We conducted a large scale analysis against many high-profile web sites and we found out that a considerable portion is still hosting vulnerable Flex applications.
During the past months, we've done our best to privately disclose this issue to some of the largest websites, but we won't be able to reach a broader audience without publicly releasing the technical details.
The Issue
Starting from Flex version 3, Adobe introduced runtime localizations.
A new component in the Flex framework — the ResourceManager — allows access to localized resources at runtime.
Any component that extends UIComponent, Formatter, Validator have a ResourceManager property, which allows the SWF file to access
the singleton instance of the resource manager.
ResourceManager exposes by default a property that can be controlled by an attacker via a specific Flash Variable: resourceModuleURLs.
Adobe Flex SDK (between 3.x and 4.5.1) is affected by such issue, since the parent SWF file loads the child module, and sets its SecurityDomain to SecurityDomain.currentDomain.
Obviously, this leads to:
Obviously, this leads to:
- Same-Origin requests forgery
- Flash XSS (in older versions of the Flash player).
The Impact: Same-Origin Request Forgery
When successfully exploited a Same Origin Request Forgery attack allows a malicious web site to perform arbitrary requests to the vulnerable site, and read its response without restrictions.
In our case, it
is possible to force the affected Flash movies to perform arbitrary
requests to the hosting server and return the responses back to the malicious Flash file.
Since HTTP
requests contain cookies and are issued from the victim’s domain, HTTP
responses may contain private information including anti-CSRF tokens and
user's data.
Detecting vulnerable Flex apps
We developed ParrotNG, an open-source Java-based tool for automatically identifying vulnerable SWF files, built on top of swfdump. It can be used both as a command line tool and as a Burp Pro Passive Scanner Plug-in.You can download it from https://github.com/ikkisoft/ParrotNG/ - refer to the "How to Use" section in the README.md for further details.
How to protect
After having identified all Flex SWF files compiled with a vulnerable version of the Adobe Flex SDK, there are three possibilities:- Recompile them with the latest Apache Flex SDK, including static libraries;
- Patch them with the official Adobe patch tool, as illustrated here. This seems to be sufficiently reliable, at least in our experience;
- Delete them, if not used anymore.
No comments:
Post a Comment