Flash Application Security Series [1] -- 360 reflective cross-site

360 a Flash application has a vulnerability that may cause cross-site scripting attacks.
Before everything starts, Let's explain several basic problems.

1. How SWF is embedded into an HTML page
Here, embedding refers to a webpage that contains SWF media files, usually in the form of an embed or object tag. When SWF is embedded in HTML, the embed or object tag usually contains several specific attributes, including allowScriptAccess and allowNetworking.
AllowScriptAccess controls the level of communication between SWF files and HTML pages. The communication mentioned here includes, but not limited to, executing JavaScript by SWF, but also calling APIs reserved by SWF from JS.
AllowScriptAccess has the following three values:
Always allows any SWF file to communicate with HTML pages.
Never prohibits any SWF file from communicating with HTML pages.
Samedomain communication is allowed only when the SWF file comes from the same domain as the HTML page.
If allowScriptAccess is not specified, samedomain is the default value.

AllowNetworking controls the level of communication between SWF files and WEB files. The communication mentioned here is basically sending and reading resource files on the network, and controlling browser page navigation.
AllowNetworking has the following three values:
All has no restrictions.
Internal disables the function that controls browser page navigation.
None Disables any network communication.
If allowNetworking is not specified, all is the default value.

2. What happened when I opened the SWF file directly?
If you open the SWF file directly, you can use the IE developer tool or Firebug to view the DOM source code. In fact, you still open an HTML page with only one line of code:
<Embed type = "application/x-shockwave-flash" src = "[swf url]" name = "plugin" height = "100%" width = "100%">
We have already discussed two basic attributes, which are not specified here. Flash Player automatically obtains the default value: allowScriptAccess = samedomain & allowNetworking = all.

After understanding the above two points, we can answer the following confusing questions:

-The html page of a.com contains a B .com xss.swf. Which domain is the script execution domain?
-A.com because swf cannot execute JS, we can see that the JS executed by him is actually implemented by flash player by calling js that carries his html page, so it is a.com.

-The html page iframe of a.com contains a B .com xss.swf. Which domain is the script execution domain?
-B .com: iframe has a swf. In fact, iframe has an HTML page with only one line of code. The field of the html page is B .com, so the execution domain of the script is B .com.

-A.com/load.swf: can I directly open http://www.2cto.com/load.swf? Url = http:// B .com/xss.swf, can I execute scripts?
-No. Because SWF is directly opened, its allowscriptaccessis samedomain, and the xss.swf domain is B .com, JavaScript cannot be executed.

The following script functions can be executed in Flash:

GetURL (AS2)/navigateToURL (AS3)
Flash. external. ExternalInterface. call (methodName: String, [parameter1: Object])

We only need to search for keywords such as getURL/navigateToURL/ExternalInterface. call, and then find some basic XSS vulnerabilities if the reverse trace variable is controllable.

Taking the swf of 360 as an example,

Search for ExternalInterface. call. We found the following code.

Public static function initLanguage (): void
{
Var _ loc_1: * = null;
Param. language = {};
If (ExternalInterface. available)
{
_ Loc_1 = ExternalInterface. call (Param. jsLang );
If (_ loc_1! = Null)
{
Param. language ["CX0189"] = _ loc_1 ["CX0189"];
Param. language ["CX0193"] = _ loc_1 ["CX0193"];
_ Loc_1 = null;
}
}
Return;
}

Back to Param. jsLang

This. parameter = this. loaderInfo. parameters;
...
Param. jsFunc = this. parameter ["jsfunc"];
...
Param. initLanguage ()

In this example, loaderinfo.parameters.pdf accepts flashvars+a.swf? A = va & B = input variables and values in vb format.

Here we open http://wan.360.cn/swf/avatar.swf? Jslang = alert (1)

 

Here we may have another question, in the official help document, flash. external. externalInterface. call can accept two parameters. The first parameter is methodName and the second parameter is the variable to be passed in. For the above poc, the correct call method should be flash. external. externalInterface. call ("alert", "1") is why flash. external. externalInterface. call ("alert (1)") can also be successful.

Open the ie debugging tool and borrow the demo on 80vul.com to see what happened when swf executes Javascript.

First open the http://www.80vul.com/xss.swf? A = alert & B = 1

 

Try {_ flash _ toXML (alert ("1");} catch (e) {"<undefined/> ";}
_ Flash _ toXML is a function that encodes the result of function execution and returns it to SWF. A Fault-Tolerant statement is nested outside. It seems that everything is the same as expected.

Open the http://www.80vul.com/xss.swf again? A = alert (2) & B = 1

 

Try {_ flash _ toXML (alert (2) ("1");} catch (e) {"<undefined/> ";}
JS executes alert (2) first. The dialog box is displayed.
Step-by-Step

 



 

The alert function has no return value. alert (2) ("1") has an error, so it jumps to the catch statement.

In this way, we can explain why javascript can be executed even if it is not called according to the methods described in adobe documentation, as this will cause an error, SWF cannot receive the value returned by JS, so in some specific circumstances, we need to make further changes to the inserted function, such
Http://www.80vul.com/xss.swf? A = (function (_ a) {alert (_ a); return function (_ z) {prompt (2, 3)}; return 5}) (1) & B = 4
In this way, SWF can receive the return value 5 that we can construct at will.

Original SWF download: http://swfpoc.appspot.com/vul/wan.360.cn_swf_avatar.swf

Solution:

In regular expression matching, only [a-zA-Z \.]