Adobe released Flash security update on Tuesday morning to coincide with a technical analysis of the threat, including proof-of-concept exploit code. The flaw is it possible for hackers to steal the cookies that authenticate returning users on sites like eBay, Twitter, Tumblr, and thousands more. Spagnuolo says that so far, no tools have been made public to exploit the fluke.
This is a well known issue in the infosec community, but so far no public tools for generating arbitrary ASCII-only, or, even better, alphanum only, valid SWF files have been presented.
This led websites owners and even big players in the industry to postpone any mitigation until a credible proof of concept was provided.
The attack relies on behavior that has existed for years that allows the binary contents of a common shockwave file a throwback term for Flash files that's better known simply as SWF to be converted into an equivalent file based solely on alphanumeric characters.
The conversion typically happens to compress a SWF file so it works with websites that use a technique known as JSONP—or JSON with padding to set browser cookies and perform other tasks.
The attack scenario From Miki:
Understand the attack scenario it is important to take into account the combination of three factors:
- With Flash, a SWF file can perform cookie-carrying GET and POST requests to the domain that hosts it, with no crossdomain.xml check. This is why allowing users to upload a SWF file on a sensitive domain is dangerous: by uploading a carefully crafted SWF, an attacker can make the victim perform requests that have side effects and exfiltrate sensitive data to an external, attacker-controlled, domain.
- JSONP, by design, allows an attacker to control the first bytes of the output of an endpoint by specifying the callback parameter in the request URL. Since most JSONP callbacks restrict the allowed charset to [a-zA-Z], _ and ., my tool focuses on this very restrictive charset, but it is general enough to work with different user-specified allowed charsets.
- SWF files can be embedded on an attacker-controlled domain using a Content-Type forcing <object> tag, and will be executed as Flash as long as the content looks like a valid Flash file.
Rosetta Flash leverages zlib, Huffman encoding and ADLER32 checksum bruteforcing to convert any SWF file to another one composed of only alphanumeric characters, so that it can be passed as a JSONP callback and then reflected by the endpoint, effectively hosting the Flash file on the vulnerable domain.
Rosetta Flash leverages zlib, Huffman encoding and ADLER32 checksum bruteforcing to convert any SWF file to another one composed of only alphanumeric characters, so that it can be passed as a JSONP callback and then reflected by the endpoint, effectively hosting the Flash file on the vulnerable domain.
If you get a popup asking you to update Adobe in the next few days, don't ignore it. And if you use any of the above-mentioned sites, maybe keep a close eye on your accounts. Or, better yet, maybe try disabling Flash altogether.
Author Venkatesh Yalagandula Follow us Google + and Facebook and Twitter
