Break the Flash!

This blog post is all about Flash files and finding vulnerabilities in them. Flash is everywhere and more often vulnerable. There are many crappy, formal definitions for flash all over internet so, I’m not going to post them again here. In short, Flash is a framework used to create rich applications such as vector graphics, animations, games, videos, etc.

Flash is developed in Action Script. Action Script API can be segregated into two streams — Web Flash Content and Standalone Flash. We only care about Standalone Flash (Most popular one). Standalone Flash allows the developers to compile all items (images, components, logic/scripts) to a single file, known as .swf file.

The logic behind Flash files can be viewed/modified with help of any Flash decompiler. I prefer JPEXS Flash Decompiler because it is open source and has an easy to use interface.

Note:

Flash runs on the browsers that has native support for adobe products. IE can run Flash, whereas modern day browsers such as Chrome and Firefox cannot run Flash unless an extension/plugin installed.

Flash is a client side Language. Meaning everything related to flash file is on the browser. Anyone can download the flash file, decompile it, view the source code & modify it.

Before showing the actual demo, I want to provide a quick info about Reflected cross-site scripting.

  1. Aka Reflected XSS

2. It is a client-side attack where an attacker executes malicious scripts(also called as payloads) into a legitimate website.

3. In our case — we are storing a Javascript within the url and executing it to do some cool stuff.

Let’s break the demo flash files (which I got from Flashbang repo - github).

Lets Break Flash Files I - aflax.swf

Source Code Analysis - Issue Identification:

Explanation:

External Interface.call method fetches the value from the user (passed via URL). Here the variable ‘callback’ is passed without any validation or being filtered.

Payload:

?callback=alert(“Oops! You are Hacked.”)

Screenshot of JPEXS Decompiler — aflax.swf
Exploit Demo I - aflax.swf

Lets Break Flash Files II - xss.swf

Source Code Analysis - Issue Identification:

Explanation:

loaderInfo.parameters — can load the data from URL. Here parameter ‘a’ and ‘c’ are not validated. Paramter ‘a’ can process any action method and ‘c’ can process anything.

Payload:

?a=eval&c=alert(“Congrats! you won 500 dollars”)

?a=open&c=http://www.google.com

Screenshot of JPEXS Decompiler - XSS.swf
Exploit Demo II - xss.swf
Exploit Demo III - xss.swf

Some of the unsafe methods to check for:

Loadvariables()

loadMovie()

getURL()

LoaderInfo.parameters()

LoadVars.load()

LoadVars.send()

ExternalInterface.call()

Flash.external.ExternalInterface.call()

Xml.load()

LoadVars.load(‘url’)

NetStream.play(‘url’)

Steps to Break Flash Files

Download .swf Files
Decompile them to readable format
Read 1000s of lines of source code
check for vulnerabilties
Exploit
PS: Easier said than done :-/

Best way - Automate:

Fix a target and find all the sub domains — use sublist3r.py / dnsdumpster.com
Find all .swf files in those sub domains — use dirbuster
Create a bot to download all .swf files — use Python (Selenium package)
Then use the automation tool I created — Flash_Breaker
Now check the Findings and try to exploit :)

References: