July 13, 2014 at 02:54Rosetta Flash - SWF encoding for calling from JSONP
Michele Spagnuolo , a Google security specialist, has written a utility that can encode any SWF file with any dictionary.
Why is this needed? Everything is very simple - such a file can be transferred as a callback parameter to JSONP on the site from which you need to get information, so you can bypass Same Origin Policy.
This problem was known for a long time, however, it was not paid much attention precisely because it was extremely difficult to get a SWF file consisting of only characters that can be set as a callback parameter, however, now such a tool has appeared.
The utility uses zlib, the Huffman algorithm, and the bruteforce ADLER32 checksum.
Of the major services, the following were vulnerable:
Suppose there are two domains: miki.net controlled by us and one that needs to attack trovatel.net.
On trovatel.net there is a JSONP script that takes a parameter from the characters to be printed:
There is a secret page that gives out a secret if you access it with the cookie set
When you visit the miki.it/RosettaFlash page , the user will find the following code:
Where miki.it/RosettaFlash/log.php is a script logger.
The user's browser will download the SWF file from trovatel.net, open the page with the secret (and with the correct cookies, of course), and send its contents to the remote server of the attacker. Everything is quite simple and typical.
At the moment, Adobe has released an update to Flash Player, in which the exploitation of this vulnerability is impossible.
Information in the blog of the author
More detailed information in PDF
Utility on Github
CVE-2014-4671
Why is this needed? Everything is very simple - such a file can be transferred as a callback parameter to JSONP on the site from which you need to get information, so you can bypass Same Origin Policy.
This problem was known for a long time, however, it was not paid much attention precisely because it was extremely difficult to get a SWF file consisting of only characters that can be set as a callback parameter, however, now such a tool has appeared.
The utility uses zlib, the Huffman algorithm, and the bruteforce ADLER32 checksum.
Of the major services, the following were vulnerable:
- Google Services (accounts.google.com, books.google.com, maps.google.com)
- Youtube
- Ebay
- Tumblr
- Olark
How was the vulnerability used?
Suppose there are two domains: miki.net controlled by us and one that needs to attack trovatel.net.
On trovatel.net there is a JSONP script that takes a parameter from the characters to be printed:
http://trovatel.net/vulnerable_jsonp.php?callback=There is a secret page that gives out a secret if you access it with the cookie set
http://trovatel.net/secret/secret.phpWhen you visit the miki.it/RosettaFlash page , the user will find the following code:
Where miki.it/RosettaFlash/log.php is a script logger.
The user's browser will download the SWF file from trovatel.net, open the page with the secret (and with the correct cookies, of course), and send its contents to the remote server of the attacker. Everything is quite simple and typical.
At the moment, Adobe has released an update to Flash Player, in which the exploitation of this vulnerability is impossible.
References
Information in the blog of the author
More detailed information in PDF
Utility on Github
CVE-2014-4671