Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
iSEC Partnershttps://www.isecpartners.com
Exploiting Rich ContentAn assessment of file formats used by Rich Internet Applications
iSEC Partnershttps://www.isecpartners.com
Why present?
Everyone is exposed to RIA and many
vulnerabilities found during testing are
dismissed as harmless bugs and vendor
testing should be tailored to detect a wider
variety of software threats
iSEC Partnershttps://www.isecpartners.com
Initial Research
– Reviewed and used popular Rich Internet
Application Technologies
– Chose Adobe Flash as target of audit due to
high deployment and rich feature offering
iSEC Partnershttps://www.isecpartners.com
Overview
– Adobe Flash Introduction
– Testing Methodology
– Testing Results
iSEC Partnershttps://www.isecpartners.com
Adobe Flash
iSEC Partnershttps://www.isecpartners.com
Adobe Flash Introduction
Most widely deployed software technology
(estimated %99 of computer systems and
runs on all major operating systems)
Millward Brown Survey: http://www.adobe.com/products/player_census/flashplayer/
iSEC Partnershttps://www.isecpartners.com
Adobe Flash Introduction - cont
– Delivered using SWF file format through markup
(i.e. HTML) but can also be delivered directly to
user
– Developers use Flash to deliver rich web
applications in the fields of entertainment,
marketing, online gaming and many others
– Recent introduction of FLEX and AIR permit the
development of even richer applications
iSEC Partnershttps://www.isecpartners.com
SWF File Format
– Supports 64 tag types (as of
Player9)
– Tags are organized top down
and have a TLV (type length
value) structure
– Many tags also support sub
types of varying depth and
complexity
SWF Header
SWF Tag
SWF Tag
SWF Tag
…
End Tag
iSEC Partnershttps://www.isecpartners.com
Flash Terminology
• Stage
– When working in a Flash development environment this is the large
white rectangle where your content will render and be displayed
• Timeline
– The timeline is a linear representation of the frames within a movie.
Flash developers typically manage frames and frame contents using the
timeline
• Assets
– An asset is any item that a developer will use or reference in a Flash
movie. Some examples of assets are fonts, images, text strings, and
any embedded content
iSEC Partnershttps://www.isecpartners.com
ActionScript
– Originally developed by Macromedia, later
through acquisition became property of
Adobe in 2005
– Designed initially for simple animation but
has since been extended to offer rich
functionality
– Based on ECMAScript standard therefore
very similar to JavaScript
iSEC Partnershttps://www.isecpartners.com
ActionScript 2.0
SWF Header
DoAction
ActionRecord
ActionRecord
ActionRecord
…
ActionEnd
ShowFrame
EndTag
– Supported by all popular flash
players
– Script is compiled into
ActionRecord(s)
– Records are stored in DoAction tag
– Action Record stream terminated
with record type ActionEnd
iSEC Partnershttps://www.isecpartners.com
GetURL Sample (Source)
getURL("http://www.isecpartners.com");
Simple example below when added to the
first frame of a new movie will redirect user
to iSEC Partners website:
iSEC Partnershttps://www.isecpartners.com
GetURL Sample (Compiled)
SWF Header
FileAttributes
SetBackgroundColor
DoAction
ActionGetURL
ActionEnd
ShowFrame
EndTag
iSEC Partnershttps://www.isecpartners.com
TextField Sample (Source)
createTextField("tf", 1, 10, 10, 400, 100);
tf.text = "Hello World\n";
When added to the first frame of a new
movie will create a text field displaying the
string “Hello World”:
iSEC Partnershttps://www.isecpartners.com
TextField Sample (Running)
iSEC Partnershttps://www.isecpartners.com
TextField Sample (Compiled)
USHORT Length - 0x28
USHORT Count - 0x4
Constant[0] - “tf”
Constant[1] - “createTextField”
Constant[2] – “text”
Constant[3] – “Hello World!”
ActionConstantPool
SWF File (RBB.SWF)
SWF End
ShowFrame
ActionEnd
ActionSetmember
ActionPush
ActionGetVariable
ActionPush
ActionPop
ActionCallFunction
ActionPush
DoAction
ActionConstantPool
DoAction
…
iSEC Partnershttps://www.isecpartners.com
TextField Sample (Compiled)
UBYTE ActionCode = 0x88
USHORT Length = 0x28
USHORT Count = 0x4
TypeConstant[0] {
UBYTE Type = 0x7
LONG Integer = 0x64(100)
}
TypeConstant[1] {
UBYTE Type = 0x7
LONG Integer = 0x190(400)
}
…
TypeConstant[5] {
UBYTE Type = 0x8
LONG Integer = 0x0
}
…
(argument count)
(function name)
ActionPush
SWF File (RBB.SWF)
createTextField("tf", 1, 10, 10, 400, 100);
Push Arguments for call to CreateTextField
SWF End
ShowFrame
ActionEnd
ActionSetmember
ActionPush
ActionGetVariable
ActionPush
ActionPop
ActionCallFunction
ActionPush
DoAction
ActionConstantPool
DoAction
…
iSEC Partnershttps://www.isecpartners.com
TextField Sample (Compiled)
UBYTE ActionCode = 0x88
USHORT Length = 0x0
ActionCallFunction
SWF File (RBB.SWF)
UBYTE ActionCode = 0x88
USHORT Length = 0x0
ActionPop
Call function CreateTextField and clean up stack
SWF End
ShowFrame
ActionEnd
ActionSetmember
ActionPush
ActionGetVariable
ActionPush
ActionPop
ActionCallFunction
ActionPush
DoAction
ActionConstantPool
DoAction
…
iSEC Partnershttps://www.isecpartners.com
TextField Sample (Compiled)
SWF End
ShowFrame
ActionEnd
ActionSetmember
ActionPush
ActionGetVariable
ActionPush
ActionPop
ActionCallFunction
ActionPush
DoAction
ActionConstantPool
DoAction
…
UBYTE ActionCode = 0x96
USHORT Length = 0x2
TypeConstant[0] {
UBYTE Type = 0x8
LONG Integer = 0x0 (“tf”)
}
ActionGetVariable
SWF File (RBB.SWF)
UBYTE ActionCode = 0x96
USHORT Length = 0x0
ActionPush
Get context for variable “tf”
iSEC Partnershttps://www.isecpartners.com
TextField Sample (Compiled)SWF File (RBB.SWF)
UBYTE ActionCode = 0x96
USHORT Length = 0x4
TypeConstant[0] {
UBYTE Type = 0x8
LONG Integer = 0x2 (“tf”)
}
TypeConstant[0] {
UBYTE Type = 0x8
LONG Integer = 0x3 (“Hello World”)
}
ActionPush
UBYTE ActionCode = 0x4F
USHORT Length = 0x0
ActionSetMember
Assign structure member to value, e.g.:
“tf.text = “Hello World”
SWF End
ShowFrame
ActionEnd
ActionSetmember
ActionPush
ActionGetVariable
ActionPush
ActionPop
ActionCallFunction
ActionPush
DoAction
ActionConstantPool
DoAction
…
iSEC Partnershttps://www.isecpartners.com
Summary
• Constants are defined in a string table
• These can be later referenced by an id and inserted onto the stage
• In ActionScript 2.0 this is accomplished with ActionRecord(s) which
are stored in a DoAction SWF tag
iSEC Partnershttps://www.isecpartners.com
Testing Methodology
iSEC Partnershttps://www.isecpartners.com
Testing Methodology
– Manual Testing
– Reverse Engineering
– Fault Injection
iSEC Partnershttps://www.isecpartners.com
Manual Testing
– Binary Editor SWF Template
• Developed by Josh Zelonis
• Breaks down SWF contents and allows on
the fly editing and testing of Flash movies
iSEC Partnershttps://www.isecpartners.com
010 Editor
iSEC Partnershttps://www.isecpartners.com
SWF Template
• Breaks down SWF File structure within 010 Editor
• Allows for the one fly dissection and alteration of SWF files
iSEC Partnershttps://www.isecpartners.com
Manual Testing
– Flash CS3 Professional
• Created ActionScript to examine output of
compiler using Binary Editor template and gain
in depth understand of the ActionScript Compiler
iSEC Partnershttps://www.isecpartners.com
Flash CS3 Professional
Action Script Window
Stage Editor
Toolbar
iSEC Partnershttps://www.isecpartners.com
Reverse Engineering
– Determine which features are in fact
supported by the target decoder
– Determine implementation of security policy
enforcement component
– Look for vulnerabilities to exploit
iSEC Partnershttps://www.isecpartners.com
FlashFire
– Gather Input
– Survey Input
– Mutate Input
– Instrument Process
– Monitor Process
– Event Driven Fault Injection (EDFI)
– Post Mortem bug Analysis (PMA)
iSEC Partnershttps://www.isecpartners.com
FlashFire – Gather Input
– Files are collected from the internet using
the GOOGLE SOAP API
– Files are then cataloged by unique MD5
iSEC Partnershttps://www.isecpartners.com
FlashFire – Survey Input
– During a testing session input is surveyed
and only files with targeted content are
supplied to FlashFire
– Chosen files are reviewed, relevant regions
in the file are marked as good candidates
for mutation
iSEC Partnershttps://www.isecpartners.com
FlashFire – Mutate Input
– Batches of files are retrieved from the
catalog and for each iteration of testing a file
is pulled from the batch and mutated
– The file is mutated by injecting a variety of
faulty input
iSEC Partnershttps://www.isecpartners.com
FlashFire – Process Instrumentation
– Prior to fault injection a series of locations in
the target process are instrumented through
breakpoints to detect their execution
– These locations correlate to events that are
required to synchronize fault delivery
iSEC Partnershttps://www.isecpartners.com
FlashFire – Process Monitoring
– Faults are injected into file input and loaded
into target application
– Events are tightly correlated allow much
faster fault injection and refined detection of
application failure
iSEC Partnershttps://www.isecpartners.com
Event Driven Fault Injection (EDFI)
• What is it?
– Tight coupling between fault injection and target application that is
accomplished using instruction tracing, breakpoints and hooking.
– Allows for correlation of events useful to fault injection
• Pros
– Able to determine distance traveled by mutated data in application
– Able to determine failure of input delivery
– Able to catch even the slightest application failures
– Makes Fault Injection very, very fast
• Cons
– Requires reverse engineering of closed source targets
iSEC Partnershttps://www.isecpartners.com
FlashFire – Post Mortem Analysis
– Failures detected in target application are cataloged with input
that triggered the failure, context of processed during failure
and description of fault that injected to trigger the failure
– ProcessSession.py (Python script) was written to process all
log data and samples recorded during sessions and create a
final report deliverable for vendor
iSEC Partnershttps://www.isecpartners.com
Demonstration
FlashFire
iSEC Partnershttps://www.isecpartners.com
Summary– 3 million injections in 36 hours of testing
– 23 unique vulnerabilities identified
– 785 unique paths to vulnerable code
sequences were identified
iSEC Partnershttps://www.isecpartners.com
Test Results
67%
21%
8%4%
Read Beyond Bounds
Null Pointer
Uninitalized Data
Other
iSEC Partnershttps://www.isecpartners.com
Safe or not?
typedef struct
{
int len;
void *data;
} BLOCK;
…
char *url = NULL;
int GetElement(BLOCK *blk)
{
if(blk->len > 2048)
{
printf("Invalid block size!\n");
return -1;
}
url = (char *)calloc(blk->len,1);
memcpy(url, blk->data, blk->len);
return 0;
}
iSEC Partnershttps://www.isecpartners.com
Read Beyond Bounds
• Occurs when a piece of code reads beyond the bounds of the data
element it is intended to read
• Very common in code that deals with complex binary structures
• Since the reading of data is often overlooked software is often
riddled with these vulnerabilities
Dangers when:
– Compartment chain is not verified
• [A] [B] [C]Len
e.g. 1.) C.Len > B.Len
2.) (C.Len + B.Len) > A.Len
– Skip and continue vs. Skip and Fail
iSEC Partnershttps://www.isecpartners.com
RBB Example
Process Heap
Heap Block #1
(GoodbyeWorld.SWF)
…
ActionConstantPool
…
Heap Block #2
(Response Data)
Constant ID 6String from adjacent heap
Constant ID 5
String from SWF Block
Constant ID 4
String from next SWF Tag
Constant ID 3
“Goodbye World”
Constant ID 2“text”
Constant ID 1
“createTextField”
Constant ID 0
“tf”
Constant Pool
Constant [0]
Constant [1]
Constant [2]
Constant [3]
Constant [4]
Constant [5]
Constant [6]
What if the bounds of these in memory reads are not checked?
iSEC Partnershttps://www.isecpartners.com
Memory Layout
SWF Header
FileAttributes
SetBackgroundColor
DoAction
ActionConstantPool
ActionPush
ActionCallFunction
ActionPop
ActionGetVariable
ActionPush
ActionSetmember
ActionEnd
ShowFrame
SWF End
UBYTE ActionCode – 0x88
USHORT Length - 0x28
USHORT Count - 0x4
Constant[0] - “tf”
Constant[1] - “createTextField”
Constant[2] – “text”
Constant[n] – “Goodbye World!”
…
ActionConstantPool
…
Heap Block
(Application Data)
Heap Block
(GoodbyeWorld.SWF)
Heap Block
(Application Data)
…
Process Memory
iSEC Partnershttps://www.isecpartners.com
Memory Layout - Cont
Process Memory (Flat Model)
Process HeapCRT Heap
Module Private Heap
Green – Free Blocks
Black – Used Blocks
Heap Block
(SCAN.SWF)
iSEC Partnershttps://www.isecpartners.com
Memory Layout - Cont
Heap Buckets
128
Bytes
256
Bytes
512
Bytes 1024
Bytes
Placement can be controlled by altering the size of our block (SWF File Size)
Heap Block
(SCAN.SWF)
iSEC Partnershttps://www.isecpartners.com
Lead into exploit
• String constants are defined and assigned character ID(s)
• Character ID can be later referenced through compiled ActionScript
2.0 instructions (ActionRecords)
• CreateText can be used to write output to the stage
iSEC Partnershttps://www.isecpartners.com
Pseudo code
var heapstr = new Array();
heapstr[0] = "I";
heapstr[1] = "S";
heapstr[2] = "E";
heapstr[3] = "C";
heapstr[4] = const_pool_string_from_heap[0]
heapstr[5] = const_pool_string_from_heap[1]
heapstr[6] = const_pool_string_from_heap[2]
...
heapstr[259] = const_pool_string_from_heap[255]
var buffer:String = "";
for(var i = 0;i < CONSTCNT; ++)
buffer += heapstr[i];
createTextField("tf", 1, 10, 10, 400, 100);
tf.text = buffer;
iSEC Partnershttps://www.isecpartners.com
File organization
• Tag where read begins exists in the middle of file
• Constant pool entries must be referencenced by literal value of
string index therefore cannot be easily coded in loop
• The more strings we want to read the larger our action record
payload will become
• Jump instructions allow execution outside of code regions
iSEC Partnershttps://www.isecpartners.com
Read Beyond Bounds
– Malicious SWF movies of various sizes are delivered to target
browser via markup (e.g. HTML)
– Each SWF reads significant portions of process memory and
the strings are stored in the string pool table
– Strings stored in constant pool will retrieved by referencing
their associated constant ID(s)
– These strings are concatenated together and delivered to a
remote listener. In this case the UI (for demo purposes)
iSEC Partnershttps://www.isecpartners.com
Demonstration
Exploiting Read Beyond Bounds
iSEC Partnershttps://www.isecpartners.com
PoC Statistics
– Highly reliable only fails when memory
boundaries are reached (page boundary)
– Due to nature of exploitation works on every
tested OS and application where flash is
installed and heap is contiguous
– Vulnerabilities affects more system
installations than any other to date? (%99)
iSEC Partnershttps://www.isecpartners.com
Common Misconceptions
– Widely deployed file formats undergo heavy
testing by major vendors and therefore are
hardened
– Compiler and OS security enhancements
prevent the exploitation of the majority of
newly discovered vulnerabilities
iSEC Partnershttps://www.isecpartners.com
Upgrade to Flash 10
• Many vulnerabilities fixed (included the ones I reported)
• Code is more stable
• More features
iSEC Partnershttps://www.isecpartners.com
Closing Comments
• When testing software utilize tools such as PAGEHEAPS. This utility
will reserve a page after each allocation and set the permission to
PAGE_NOACCESS. Any attempt to read, write or execute this page
will generate an exception.
• Train auditors to be on the lookout for read boundary issues and not
just for write boundary issues (buffer overflows).
• These issues primarily affect unmanaged programming languages.
Managed and type safe languages are resilient to these issues.
iSEC Partnershttps://www.isecpartners.com
Contributors
– Josh Zelonis for his work on the 010 Editor
templates