Flash Application Security Series [5]-permanent QQ mail hijacking Vulnerability

Qq mail does not strictly filter cross-origin requests, which may cause persistent hijacking of user emails
We know that in the browser's security model, the Same-Origin Policy-SOP (Same Origin Policy) is the most basic part. It determines which resources on the WEB can be accessed by scripts, which resources are rejected.

Without the Access-Control-Allow-Origin header in HTML5, scripts running in the.com domain cannot directly Access B .com resources, we are looking for Cross-Site vulnerabilities to bypass this SOP. However, the Flash Player installed in the browser as a third-party plug-in breaks the SOP and only needs to run the crossdomain. xml of the other party. A B .com SWF file can read A.com resources. Now let's take a look at corssdoamain in QQ mail. xml <cross-domain-policy> <allow-access-from domain = "* .qqmail.com"/> <allow-access-from domain = "* .qq.com"/> </cross- domain-policy> the wildcard is used, this allows SWF in any subdomain of qq.com to read resources of mail.qq.com. Now we need to find a place under * .qq.com where SWF can be uploaded. As SWF can execute JS scripts, uploading SWF files is equivalent to executing scripts in the uploaded domain, therefore, few websites can upload SWF files, but there are many places where JPG files can be uploaded. Flash Player is not sensitive to the suffix of the SWF file, so we only need to find an upload point that can upload JPG without verifying the validity of the image file. For example, act.news.qq.com/show_umodify.php QQ checks the sid of the post Data When configuring forwarding. However, this sid is included in the url and can be easily obtained through the referrer header sent to the external domain. And now we can read the data on mail.qq.com and can directly read mail.qq.com/cgi-bin/login? Vt = passport & vm = wsk & delegate_url = get the sid. In addition to the token, the referre header detection is often used as another method to prevent CSRF. After testing, the QQ mailbox also performs detection here, And the packets sent from external domains are discarded directly, however, all requests sent under the subdomain qq.com are accepted, and our swf is also under a subdomain of qq.com, which meets this condition.


Qqmail. csrf. as http://swfpoc.appspot.com/source/qqmail.csrf.as
 Solution:

Modify crossdomain. xml? What about referre?