Hacking The World With Flash: OWASP 29/2008 Paul Craig

Hacking The World With Flash:
Analyzing Vulnerabilities in Flash and the Risk of Exploitation
OWASP 29/2008
Paul Craig
© 2007 Security-Assessment.com
Who Am I?
 Paul Craig, Principal Security Consultant - Security-Assessment.com
 Author, hacker, active security researcher.
My Role
 Application Penetration Tester
 “I break the crack-headed ideas of developers..”
Comments, Questions, Feedback?
 Email: paul.craig@security-assessment.com
© 2007 Security-Assessment.com
 “Wow, Macromedia/Adobe Flash is everywhere on the internet!”
 YouTube, FaceBook, MySpace, CNN, Ebay, etc
 I Wonder, do internet users implicitly trust Flash content?
 The Litmus Test: My Wife, Kim.
 If I sent you a link to funnygame.exe, would you run it? “Nope.”
 How about funnygame.swf “I would probably open that”
 Flash is considered harmless, “It’s a funny game or joke”
 My Question:
 What are the incurred risks of running Flash content?
 How easily can Flash be used as an attack vector?
 Probability of getting pwned through a malicious SWF??
© 2007 Security-Assessment.com
Who Why How What of Flash
 Everything you wanted to know about Flash:
 Originally developed by Macromedia in early 2000’s.
 Macromedia was purchased by Adobe in 2005 ($3.4 billion!)
 Flash logic is developed in ActionScript
 Originally based on ECMAScript/JavaScript.
 ActionScript API is segregated into two streams.
 Web Flash Content:
 ActionScript executed by a browser plug-in/ActiveX control.
 Reduced functionality API, no access no host functionality.
 Standalone Flash:
 Compiled PE executables with embedded ActionScript player
 .SWF played from local flash player.
 Larger more complete API, access to host functionality.
© 2007 Security-Assessment.com
Who Why How What of Flash
 ActionScript was developed from a feature in Flash 4, 7 years ago.
 Flash 4 ‘Actions’ (Macros) expanded into ActionScript v1 in Flash 5.
 JavaScript like language with simple functionality.
 Un-enforced variable type system.
 Simple API for graphical manipulation.
 Prototype-oriented programming (No class support).
 Only 60% of API documented.
 ActionScript v2, 2003-2006
 Flash is being used for complex applications!
 Developers demanded more functionality.
 Compile-time type checking implemented, strict variable typing.
 Object-oriented programming support.
 Flash begins to appear ‘everywhere’
© 2007 Security-Assessment.com
Who Why How What of Flash
 ActionScript v3, 2006-Today
 Compile-time and runtime type validation
 Support for packages, namespaces and regular expressions.
 JIT compilation for new Flash Virtual Machine (AMV2)
 Binary sockets (Connect to a port, send/retrieve data)
 10% of API is still undocumented!
 ActionScript has matured into a flexible/powerful language.
 Supported by 850 million internet connected desktops.
 Cross-platform (Windows, OSX, Linux, HP-UX, PPC)
 “I would probably open that”
 “I probally shouldn’t, aye”
© 2007 Security-Assessment.com
Who Why How What of Flash
 Flash is a Powerful Attack Vector.
 850 million devices which support a language (ActionScript)
 Language first developed by Macromedia, and now Adobe.
 Vast history of Adobe/Macromedia security issues.
 Adobe Acrobat exploit anyone?
 ActionScript is complex.
 Grown immensely, very quickly.
 Quickly implemented features tend to contain bugs, exploits.
 Do Adobe follow a decent secure coding methodology?
 Adobe make apps like Photoshop do they take internet security
 Flash Plug-in is Critical Browser Infrastructure.
 One zero day in Flash, 850 million exploitable devices.
© 2007 Security-Assessment.com
Exploits in Flash
 Golden Rules of Security:
 #1 – Software Developers Always Make Mistakes.
 #2 – Mistakes Get Exploited.
 #3 – Developers tend to make the SAME mistake more than once.
 #4 – See #1
 A History of Flash Exploits (2001-2008)
 Look for common trends in Flash exploits over the last 7 years.
 Predict the future of Flash security, what will 2008 bring?
 Likelihood of malicious Flash content.
 Find new vulnerabilities in Flash.
 Same bug, different section of Flash.
© 2007 Security-Assessment.com
Exploits in Flash
 2002: First Major Flash Security Advisory’s
 Standalone Macromedia Flash Player 5.0 allows remote attackers
to save arbitrary files and programs via a .SWF file containing the
undocumented "save" FSCommand. (CVE-2002-0476)
 Standalone Macromedia Flash Player 5.0 before 5,0,30,2 allows
remote attackers to execute arbitrary programs via a .SWF file
containing the "exec" FSCommand. (CVE-2002-0477)
 Undocumented API functionality to write, or execute a file.
 FSCommand("exec","rundll\tuser.exe,exitwindows");
 FSCommand("save",“C:\\filename.txt")
 FSCommand function only present in the standalone player API.
 Web browser unaffected.
© 2007 Security-Assessment.com
Exploits in Flash
 Flash ActiveX v6.0.23 Parameter Stack Overflow (CVE-2002-0605)
 Long ‘movie’ tag parameter.
<param name=movie value=“AAAAAAAAAAAAAAAAAAAA....">
 Heap Overflow in malformed ‘length’ SWF header. (CVE-2002-0846)
 SWF header contains a ‘length’ value of the .SWF file.
 Define length shorter than the .SWF file, Malloc() overflow.
 User supplied value un-validated and used directly in memory
 Multiple overflows Through Malformed SWF Headers (CVE-20021382)
 Three SWF header values vulnerable to memory corruption.
 Same bug, different variable, three months later.
 Flash appears to rely on user supplied values for memory length
© 2007 Security-Assessment.com
Exploits in Flash
 Bypass Same Domain Policy (CVE-2002-1467)
 Read arbitrary files from disk using Flash.
 Flash security prohibits .SWF content from one site, accessing
content from another.
 Flash will follow a 302 HTTP redirect to file://
 "file://" base in a web document
 Flash Denial of Service (CVE-2002-1625)
 Flash Player 6 never terminates a connection to a remote
website when using.
 loadMovie()
 loadSound ()
 First Flash DOS tool. loadMovie(“http://www.blah.com”) Loop.
 Dumb mistakes…
© 2007 Security-Assessment.com
Exploits in Flash
 2003: First Flash Cross-Site Scripting Bug
 XSS vulnerability in Macromedia Flash ad user tracking capability
 Allows remote attackers to insert arbitrary Javascript via the
ClickTAG field.
 ClickTAG used to notify a website prior to Flash execution.
 http://www.example.com/victim.swf?clickTag=http://adnetwork.com/tracking?ex
 http://www.example.com/victim.swf?clickTag=javascript:alert('aaa');
 Flash developers appear to be unaware of Cross Site Scripting
 Basic XSS attack vector, nothing fancy here..
 Quick pre-release code analysis would have found this.
 Or a secure coding methodology…
© 2007 Security-Assessment.com
Exploits in Flash
 Flash v6 ActiveX Malformed SWF Header (CVE-2005-2628)
 Malformed SWF header with a modified frame type identifier.
 Flash still fails to validate SWF file format.
 Now 3 years after original .SWF file format bug found.
 Multiple unspecified vulnerabilities in Adobe Flash Player
 ‘Remote attackers able to execute arbitrary code via a specially
crafted SWF file.’.. And again..
 Stack overflow in Adobe Flash Player and earlier (CVE2006-3311)
 Execute arbitrary code via a long, dynamically created string in a
SWF movie.
 Stack overflow in the ActionScript 2 API.
© 2007 Security-Assessment.com
Exploits in Flash
 Malformed SWF File in Flash 8.0.24 (CVE-2006-3587)
 Malformed .SWF file causes memory access violations.
 More malformed flash..
 Malformed SWF file vulnerability in Flash (CVE-2006-3588)
 Allows remote attackers to cause a browser crash via a
malformed, compressed .SWF file.
 Flash ActiveX Flash8b.ocx Browse Crash
 Long string in the Flash8b.AllowScriptAccess method.
 Second Flash ActiveX method to contain a stack overflow.
© 2007 Security-Assessment.com
Exploits in Flash
 CRLF injection vulnerability in Flash Player 9.0.16(CVE-2006-5330)
 Remote attackers can modify HTTP headers of client requests
and conduct HTTP Request Splitting attacks via CRLF injection in
ActionScript functions.
 XML.addRequestHeader(“aa%0D%0AFoo: bar”) ; Adds header Foo: bar
 XML.contentType(“aa%0D%0AFoo: bar”); Adds header Foo: bar
 Flash does not validate user supplied content for CRLF.
 Flash does not have any special character blacklist
 Special chars and binary data are often accepted.
 Malformed SWF File (CVE-2007-0071) Adobe Flash Player
 Allows remote attackers to execute arbitrary code via unknown
vectors related to "input validation errors.“
 Another SWF with a modified header value.
© 2007 Security-Assessment.com
Exploits in Flash
 Insufficient Input Validation Allows CSRF (CVE-2007-3457)
 Flash insufficiently validates HTTP Referrer headers for CRLF.
 Allow remote attackers to conduct a CSRF attack via a crafted
SWF file.
 2nd CRLF bug, 2nd HTTP Referrer bug!
 Flash Player 9.0.48 HTTP Request Splitting Attack (CVE-2007-6245)
 Remote attackers can modify HTTP headers for client requests
and conduct HTTP Request Splitting attacks.
 3rd CRLF bug, 3rd Header bug.
 Flash Player Malformed SWF File (CVE-2007-6019)
 Improper object instantiation allows remote code execution.
 Modified DeclareFunction2 ActionScript tag.
 Access an object before it was properly instantiated.
© 2007 Security-Assessment.com
Exploits in Flash
 Multiple Cross Site Scripting Vulnerabilities in Flash ActiveX 9
 Remote attackers can inject arbitrary web script or HTML via:
 navigateToURL(), asFunction()
 NavigateToURL, takes two arguments, URL, browser frame.
 NavigateToURL accepts javascript: URI’s and arbitrary browser
 JavaScript executes in security context of named frame!
 Should execute in the security context of the page that
embedded the SWF!
 Evil.swf advert located on myadverts.co.nz is served on
 JavaScript within evil.swf can execute in the context of
 All your money is belong to me?
© 2007 Security-Assessment.com
Exploits in Flash
 Interaction Error Between Adobe Flash and UPnP Services (CVE2008-1654)
 Flash can be used to send SOAP XML requests to arbitrary
addresses, including internal addresses. 
 How about reconfiguring your modem, using SOAP over unauthenticated UPnP functionality?
 Example: http://www.gnucitizen.org/blog/hacking-the-interwebs/
 “Exploiting the BT Home Hub with Flash”
 Reconfiguring the BT Home hub primary DNS server remotely
through the Flash player, over UPnP.
 2Wire Modem DDOS Virus
 Reconfigure modem to send 10,000 ‘test’ pings to www.cnn.com
 Flash lacks cohesive security ‘zones’ and network sandboxing.
© 2007 Security-Assessment.com
Exploits in Flash
 Mark Dowd – Weaponised Flash NULL Pointer Attack.
 25 page paper on exploiting Flash (worth reading, if your into it)
 http://documents.iss.net/whitepapers/IBM_XForce_WP_final.pdf
 ‘The Inhuman Flash Exploit’
 Un-validated user supplied value used as memory allocation size.
 NULL pointer returned when allocation size is greater than 2gig.
 Returned value + user supplied offset used in memory write.
 Append malicious ActionScript byte code to valid Flash byte
 Bypass internal Flash verifier.
 Native code execution inside the ActionScript VM.
 Internet Explorer, FireFox, Vista, XP = owned.
© 2007 Security-Assessment.com
Statistical Analysis of Flash
 Brief Highlights of Flash Security Advisories.
 Too many advisories to detail each one.
 54 advisories since 2001
 2003-2006 ActionScript 2
 2006-Today ActionScript 3
 More Functionality = More Exploits
© 2007 Security-Assessment.com
Statistical Analysis of Flash
 Most Common Bugs?
 File Format Validation
= Malformed Flash Files
 Browser Input Validation = XSS, CSRF, etc
 ActionScript API
= Native Flash Functionality
 SandBox Violation
= Escaping The Flash SandBox
© 2007 Security-Assessment.com
Statistical Analysis of Flash
 How Many Of Those Bugs Can Be Used To Execute Code?
 48% of Flash vulnerabilities have been exploited to gain code
 Weaponised Flash exploits not uncommon.
 Flash is not compiled with ASLR /DYNAMICBASE support.
© 2007 Security-Assessment.com
Exploits In Flash
 Common trends:
 Flash has poor SWF file format validation.
 User supplied values frequently used in memory calculations.
 Majority of vulnerabilities stem from file format validation bugs.
 Malicious Flash is most likely to be ‘malformed’.
 Adobe/Macromedia have a poor Security Development LifeCycle.
 Flash contains basic vulnerabilities, XSS, CRLF, Stack Overflows
 Vulnerabilities repeat themselves, often! Adobe do not learn.
 ActionScript API is being used natively as an attack vector.
 Flash security sandbox has been escaped three times!
 Flash ActiveX plug-in has the most issues.
 Flash security flaws have increased drastically.
 Almost half of vulnerabilities allow code execution!
© 2007 Security-Assessment.com
Exploits In Flash
 Flash ActiveX Plug-in has the most issues.
 Twice as many as the FireFox plugin.
 Flash Security Flaws have Increased Drastically.
 Almost half of vulnerabilities allow code execution!
 New method of native Flash VM code execution (Mark Dowd’s)
 2008?
 ActionScript 4 is likely 2 years away (Based on past history)
 Flash will grow, more functionality, bigger API.
 Competing with Silverlight (Microsoft’s Flash)
 Expect more Flash bugs.
© 2007 Security-Assessment.com
Exploits In Flash
 Possible Exploitation Scenario.
 Evil Hacker finds .SWF file format validation bug.
 Stack overflow, code execution.
 The Exploit:
 Legitimate Flash ‘advert’ created with exploit code.
 Exploit only triggered if(date > two weeks time)
 Evil Hacker buys $250 of advertising for malicious SWF file.
 You:
 Monday morning, you visit xyznews.co.nz, Flash anner adverts.
 Today is > two weeks since campaign launched.
 Exploit code is served from Flash advert, remote code exec.
 Everything looks normal, nothing crashes, but your owned.
 Case of the Monday’s?
© 2007 Security-Assessment.com
Exploits In Flash
 Recommendations:
 Keep Flash up to date, updates fix critical bugs.
 Disable Flash on critical systems.
 Implement browser virtualisation.
 Risk mitigation.
 FireFox/IE inside VMWare.
 Be weary of arbitrary Flash content.
 Flash Virus/Worm is just a matter of time.
© 2007 Security-Assessment.com