[摘要]Macromedia Flash has its own built in scripting language. ActionScript[6] (the scripting language) ...
Macromedia Flash has its own built in scripting language. ActionScript[6] (the scripting language) seems very simple to seasoned JavaScript coders as it uses a very similar syntax to JavaScript, C and PERL. However this same language can be used for complex animations, simulations, creation of games etc.. What’s interesting for us is the getURL() action[7]. This function allows us to redirect the end user to another page. The parameter would usually be a URL; something like “http://eyeonsecurity.net”, so that the script looks like this:
getURL(“http://eyeonsecurity.net”)
Suppose we specify a java script: URL instead:
getURL(“java script:alert(document.cookie)”)
The above example pops up a JavaScript alert box with the cookie belonging to the domain hosting the page that displays the flash document. This means that we have successfully injected JavaScript by making use of “features” within Internet Explorer and Flash. In the example Flash file we insert script similar to the above in the first frame as shown in the screenshot.
[Example sites and software vulnerable to the Flash! Attack]
Ezboard (http://www.ezboard.com/) is probably one of the best well-known free online Bulletin Board Systems around. This BBS which is HTTP-based, allows its users to have their signatures in flash by making use of the EMBED tag. Therefore in our tests we edit our preferences and specify the following code in the signature:
<embed
src="http://eyeonsecurity.net/download/example.swf"
pluginspage=”http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash”
type="application/x-shockwave-flash"
width="0"
height="0"
>
</embed>
The below screenshot illustrates the idea better.
This code will be added to each post the attacker submits on the Ezboard forum, allowing him to steal the user’s session cookie.
DeviantART which is a very popular website, encourages it’s users to submit flash animations and creations to be viewed by other site members. Of course a malicious user with intent to steal user accounts and possibly administrative accounts, would create a new account, upload a malicious Flash file and wait for the results. No demonstration is available for this site.
MSN Communities[8] – this site allows users to upload their own files … amongst the files we uploaded were SWF files, which in turn execute JavaScript code. This is a very obvious security flaw. In a previous paper[9] on EyeonSecurity, named “Microsoft Passport Account Hijack Attack”, we outline how a single flaw in an MSN or Passport network site creates a significant security problem.
Anonymous services such as Anonymizer[10] and The-Cloak[11], are also vulnerable to this attack. These services try to filter out JavaScript from HTML pages, however fail to recognize the attack described here at the time of writing. Meaning that web master linking (or redirecting) its users to an SWF file can bypass the restrictions set up by these services.
Two specific Forum (BBS) software, which are particularly vulnerable to this attack, are Ikonboard and YaBB[12]. These particular forums allow only specific custom tags which are then parsed by the Web Application to produce the end result. However these forums allow flash animations to be embedded within the page by using the [flash] special tag, which is converted to the correct Object tag.
Example