[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Adobe Flex 3.3 SDK DOM-Based XSS

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Adobe Flex 3.3 SDK DOM-Based XSS
From: labs@xxxxxxxxxxxxxxx
Date: Wed, 19 Aug 2009 14:04:52 -0600

==================================================
Adobe Flex 3.3 SDK DOM-Based XSS
Public Release Date: 8/19/2009
Adam Bixby - Gotham Digital Science
Affected Software:  Adobe Flex 3.3 SDK and earlier

==================================================
1. Summary
==================================================

Adobe Flex is a software development kit released by Adobe Systems for the 
development and deployment of cross-platform rich Internet applications based 
on the Adobe Flash platform.  An instance of a DOM-based Cross Site Scripting 
(XSS) vulnerability was found in the default index.template.html of the SDK 
that is an HTML template used by FlexBuilder to generate the wrapper html for 
all the application files in your project.  The XSS vulnerability appears to 
affect all user's that download and utilize this HTML wrapper.  You can find 
more information on DOM-based XSS here: 
http://www.owasp.org/index.php/DOM_Based_XSS
  

The vendor (Adobe Systems) was notified of this issue on June 29, 2009.  The 
vendor responded by releasing version 3.4 on August 19, 2009 and has also 
issued a security bulletin: 
http://www.adobe.com/support/security/bulletins/apsb09-13.html.


==================================================
2. Technical Details
==================================================

File: index.template.html

1) Data enters via URL parameters through the window.location javascript 
object, is then stored into MMredirectURL variable, and passed to the 
AC_FL_RunContent() function.

Line 59:
.snip..
var MMredirectURL = window.location;
.snip..

Line 63:
AC_FL_RunContent(
                ..snip..
            "FlashVars", "MMredirectURL=" MMredirectURL '&MMplayerType=' 
MMPlayerType '&MMdoctitle=' MMdoctitle "",
                ..snip..

2) The MMredirectURL variable with user-controllable input is passed to 
AC_GetArgs and ultimately to AC_Generateobj, which performs a document.write. 
Writing the un-validated data to HTML creates the XSS exposure.

File: AC_OETags.js

Line 200:
function AC_FL_RunContent(){
  var ret = 
    AC_GetArgs
    (  arguments, ".swf", "movie", "clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"
     , "application/x-shockwave-flash"
    );
  AC_Generateobj(ret.objAttrs, ret.params, ret.embedAttrs);
}

Line 178:
function AC_Generateobj(objAttrs, params, embedAttrs) 
{ 
    var str = '';
    if (isIE && isWin && !isOpera)
    {
                str  = '<object ';
                for (var i in objAttrs)
                        str  = i   '="'   objAttrs[i]   '" ';
                str  = '>';
                for (var i in params)
                        str  = '<param name="'   i   '" value="'   params[i]   
'" /> ';
                str  = '</object>';
    } else {
                str  = '<embed ';
                for (var i in embedAttrs)
                        str  = i   '="'   embedAttrs[i]   '" ';
                str  = '> </embed>';
    }

    document.write(str);
}
 

NOTE: For the exploit to work, the end user must have installed an older 
version of Adobe Flash than the value that is set in the Globals variable 
"requiredMajorVersion" (Line 36).

==================================================
3. Proof-of-Concept Exploit
==================================================

This vulnerability can be exploited against any Flex based application that 
uses the index.template.html wrapper page containing the code above.  In order 
to exploit this issue, the end user must have Adobe Flash installed, but it 
must be an older version than the required one set by the application owner 
(set in Globals variable "requiredMajorVersion"). 

Reproduction Request:
http://FlexApp/Flex/index.template.html?"/></object><script>alert('XSS')</script>


==================================================
4. Recommendation 
==================================================

Update to Flex 3.4 SDK or view Adobe's TechNotes on how to manually fix the 
issue: http://kb2.adobe.com/cps/495/cpsid_49530.html


==================================================
5. About Gotham Digital Science 
==================================================

Gotham Digital Science (GDS) is an international security services company 
specializing in Application and Network Infrastructure security, and 
Information Security Risk Management. For more information on GDS, please 
contact labs (at) gdssecurity.com or visit http://www.gdssecurity.com.

Prev by Date: Cisco Security Advisory: Firewall Services Module Crafted ICMP Message Vulnerability
Next by Date: iDefense Security Advisory 08.11.09: Microsoft Office Web Components 2000 Buffer Overflow Vulnerability
Previous by thread: Cisco Security Advisory: Firewall Services Module Crafted ICMP Message Vulnerability
Next by thread: iDefense Security Advisory 08.11.09: Microsoft Office Web Components 2000 Buffer Overflow Vulnerability
Index(es):
- Date
- Thread