I just released an advisory to Bugtraq regarding a DOM-Based XSS bug in the Adobe Flex 3.3 SDK and earlier versions. I notified the vendor back on June 29, 2009 and they released the fix on August 19th. If you would like more information, you can view their security bulletin and their TechNotes.

Overview

Adobe Flex is a software development kit released by Adobe Systems for the development and deployment of cross-platform rich Internet applications based on the Adobe Flash platform. An instance of a DOM-based Cross Site Scripting (XSS) vulnerability was found in the default index.template.html file of the SDK which is a template used by FlexBuilder to generate the wrapper html for all application files in your project. The XSS vulnerability appears to affect all user’s that download and utilize this html wrapper. For more information on DOM-based XSS visit OWASP’s site.

Technical Details

File: index.template.html

1) Data enters via URL parameters through the window.location javascript object, is then stored into MMredirectURL variable, and passed to the AC_FL_RunContent() function.

Line 59:
..snip..
var MMredirectURL = window.location;
..snip..

Line 63:
AC_FL_RunContent(
..snip..
"FlashVars", "MMredirectURL=" MMredirectURL '&MMplayerType=' MMPlayerType '&MMdoctitle=' MMdoctitle "",
..snip..

2) The MMredirectURL variable with user-controllable input is passed to AC_GetArgs and ultimately to AC_Generateobj, which performs a document.write. Writing the un-validated data to HTML creates the XSS exposure.

File: AC_OETags.js

Line 200:
function AC_FL_RunContent(){
var ret =
AC_GetArgs
( arguments, ".swf", "movie", "clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"
, "application/x-shockwave-flash"
);
AC_Generateobj(ret.objAttrs, ret.params, ret.embedAttrs);
}

Line 178:
function AC_Generateobj(objAttrs, params, embedAttrs)
{
var str = '';
if (isIE && isWin && !isOpera)
{
str = '<object ';
for (var i in objAttrs)
str = i '="' objAttrs[i] '" ';
str = '>';
for (var i in params)
str = '<param name="' i '" value="' params[i] '" /> ';
str = '</object>';
} else {
str = '<embed ';
for (var i in embedAttrs)
str = i '="' embedAttrs[i] '" ';
str = '> </embed>';
}
document.write(str);
}

NOTE: For the exploit to work, the end user must have installed an older version of Adobe Flash than the value that is set in the Globals variable “requiredMajorVersion” (Line 36).

Proof-of-Concept Exploit

This vulnerability can be exploited against any Flex based application that uses the index.template.html wrapper page containing the code above. In order to exploit this issue, the end user must have Adobe Flash installed, but it must be an older version than the required one set by the application owner (set in Globals variable “requiredMajorVersion”).

Reproduction Request:

http://FlexApp/Flex/index.template.html?”/></object><XSS attack string goes here>

Recommendation

Update to Flex 3.4 SDK or view Adobe’s TechNotes on how to manually fix the issue.

Having recently seen our book SQL Injection Attacks and Defense come out, it is very timely indeed to see in the news of the recent indictment of Albert Gonzalez that SQL Injection played a key part in the Heartland Payment Systems, 7-Eleven, and Hannaford Brothers breaches, as well as for two other unnamed victim companies.

So how can SQL Injection, which is an application level problem, be used as a vector for attacking an organization? In a number of ways. SQL Injection gives an attacker the ability to interact with the database, and therefore if something is possible on the database server it may well be possible through SQL Injection. Modern database systems such as Oracle, SQL Server and others provide a rich variety of functionality for their users – all too often though, some of this functionality can be abused by malicious individuals.

Making some assumptions, its likely that something like the following occurred:

1. It was possible to interact with the underlying operating system in some way using SQL Injection. This could have been through the ability to execute operating system commands (such as through the well known xp cmdshell stored procedure on Microsoft SQL Server), or through the ability to stage content to the database server (or filesystem) and then have it compiled to executable content.
2. With the ability to execute content at the operating system layer, access was consolidated by providing some form of alternative control channel or remote access to the database server.
3. With consolidated access to the database server, the attacker uses the database server as a foothold to go further into the organization.

These types of hybrid attacks where one type of attack is dovetailed or launched over another are becoming increasingly common. Another SQL Injection hybrid attack of recent note was the SQL Injection mass attacks that started in early 2008. These used SQL Injection in another way – to inject links to JavaScript malware into thousands of unsuspecting vulnerable sites. It just goes to prove that even if a vulnerability is over 10 years old, it still has some new tricks to be seen.

Just a quick post to let everyone know that with the release of v1.0.5, SPF has officially gone open-source.  The code (and most recent binary distribution) are now available from CodePlex and have been released under the GPL license. 

The decision to open-source SPF was an easy one.  The biggest factor preventing several companies from implementing SPF in their production environment was the fact that it was neither commercially supported nor open source.  By moving SPF to an open source licensing model, more companies will have the option to experiment and hopefully use SPF to protect their web applications. 

The CodePlex platform also provides public issue tracking and a discussion forum that will hopefully benefit the SPF user base going forward.  Enjoy!