Tuesday, August 25, 2009

Flash attack vectors (and worms)

First of all, while the exploit code contains Flash, it is actually just used as an attack (or, if we stretch it, infection) vector. The worm itself is contained in JavaScript and is very similar to the Twitter worm I analyzed back in April this year (see http://isc.sans.org/diary.html?storyid=6187). That is not surprising as both worms are attacking similar services.

The worm was first identified on a popular Chinese social web site (for schools, if I'm not wrong), Renren (http://www.renren.com). This site is in many ways similar to Twitter or Facebook, but much more media intensive and it allows users to share various information, including pictures, movies etc.

Users of this site can share videos with each other (same as on Facebook). Besides other media, users can also point to Flash movies and this was enough for the attacker to exploit one small error in the video player code used by the Renren site.

The URL to an SWF file posted by a user was processed by a function called playswf(). Among other things this function creates an embedded object (application/x-shockwave-flash) that points to the user supplied SWF file.

Now, before digging into what this worm does, I'd like to point out how dangerous embedding SWF files can be. It is very common that authors put basic XSS protection into their programs (for example, preventing users from entering the script tag), however, Flash files can also be dangerous – I've successfully used them during various penetration tests to evade web application firewalls (which are not the solution to bad coding!).

Back to the worm – the playswf() function creates the following object:

See http://isc.sans.org/diary.html?storyid=7015&rss

No comments: