exploiting rich content - ncc group partners textfield sample (compiled) ubyte actioncode = 0x88...

iSEC Partnershttps://www.isecpartners.com

Exploiting Rich ContentAn assessment of file formats used by Rich Internet Applications


Why present?

Everyone is exposed to RIA and many

vulnerabilities found during testing are

dismissed as harmless bugs and vendor

testing should be tailored to detect a wider

variety of software threats


Initial Research

– Reviewed and used popular Rich Internet

Application Technologies

– Chose Adobe Flash as target of audit due to

high deployment and rich feature offering


Overview

– Adobe Flash Introduction

– Testing Methodology

– Testing Results


Adobe Flash


Adobe Flash Introduction

Most widely deployed software technology

(estimated %99 of computer systems and

runs on all major operating systems)

Millward Brown Survey: http://www.adobe.com/products/player_census/flashplayer/

http://www.adobe.com/products/player_census/flashplayer/


Adobe Flash Introduction - cont

– Delivered using SWF file format through markup

(i.e. HTML) but can also be delivered directly to

user

– Developers use Flash to deliver rich web

applications in the fields of entertainment,

marketing, online gaming and many others

– Recent introduction of FLEX and AIR permit the

development of even richer applications


SWF File Format

– Supports 64 tag types (as of

Player9)

– Tags are organized top down

and have a TLV (type length

value) structure

– Many tags also support sub

types of varying depth and

complexity

SWF Header

SWF Tag

SWF Tag

SWF Tag

…

End Tag


Flash Terminology

• Stage

– When working in a Flash development environment this is the large

white rectangle where your content will render and be displayed

• Timeline

– The timeline is a linear representation of the frames within a movie.

Flash developers typically manage frames and frame contents using the

timeline

• Assets

– An asset is any item that a developer will use or reference in a Flash

movie. Some examples of assets are fonts, images, text strings, and

any embedded content


ActionScript

– Originally developed by Macromedia, later

through acquisition became property of

Adobe in 2005

– Designed initially for simple animation but

has since been extended to offer rich

functionality

– Based on ECMAScript standard therefore

very similar to JavaScript


ActionScript 2.0

SWF Header

DoAction

ActionRecord

ActionRecord

ActionRecord

…

ActionEnd

ShowFrame

EndTag

– Supported by all popular flash

players

– Script is compiled into

ActionRecord(s)

– Records are stored in DoAction tag

– Action Record stream terminated

with record type ActionEnd


GetURL Sample (Source)

getURL("http://www.isecpartners.com");

Simple example below when added to the

first frame of a new movie will redirect user

to iSEC Partners website:


GetURL Sample (Compiled)

SWF Header

FileAttributes

SetBackgroundColor

DoAction

ActionGetURL

ActionEnd

ShowFrame

EndTag


TextField Sample (Source)

createTextField("tf", 1, 10, 10, 400, 100);

tf.text = "Hello World\n";

When added to the first frame of a new

movie will create a text field displaying the

string “Hello World”:


TextField Sample (Running)


TextField Sample (Compiled)

USHORT Length - 0x28

USHORT Count - 0x4

Constant[0] - “tf”

Constant[1] - “createTextField”

Constant[2] – “text”

Constant[3] – “Hello World!”

ActionConstantPool

SWF File (RBB.SWF)

SWF End

ShowFrame

ActionEnd

ActionSetmember

ActionPush

ActionGetVariable

ActionPush

ActionPop

ActionCallFunction

ActionPush

DoAction

ActionConstantPool

DoAction

…



UBYTE ActionCode = 0x88

USHORT Length = 0x28

USHORT Count = 0x4

TypeConstant[0] {

UBYTE Type = 0x7

LONG Integer = 0x64(100)

}

TypeConstant[1] {

UBYTE Type = 0x7

LONG Integer = 0x190(400)

}

…

TypeConstant[5] {

UBYTE Type = 0x8

LONG Integer = 0x0

}

…

(argument count)

(function name)

ActionPush

SWF File (RBB.SWF)


Push Arguments for call to CreateTextField

SWF End

ShowFrame

ActionEnd

ActionSetmember

ActionPush

ActionGetVariable

ActionPush

ActionPop

ActionCallFunction

ActionPush

DoAction

ActionConstantPool

DoAction

…




USHORT Length = 0x0

ActionCallFunction

SWF File (RBB.SWF)


USHORT Length = 0x0

ActionPop

Call function CreateTextField and clean up stack

SWF End

ShowFrame

ActionEnd

ActionSetmember

ActionPush

ActionGetVariable

ActionPush

ActionPop

ActionCallFunction

ActionPush

DoAction

ActionConstantPool

DoAction

…



SWF End

ShowFrame

ActionEnd

ActionSetmember

ActionPush

ActionGetVariable

ActionPush

ActionPop

ActionCallFunction

ActionPush

DoAction

ActionConstantPool

DoAction

…


USHORT Length = 0x2

TypeConstant[0] {

UBYTE Type = 0x8

LONG Integer = 0x0 (“tf”)

}

ActionGetVariable

SWF File (RBB.SWF)


USHORT Length = 0x0

ActionPush

Get context for variable “tf”


TextField Sample (Compiled)SWF File (RBB.SWF)


USHORT Length = 0x4

TypeConstant[0] {

UBYTE Type = 0x8

LONG Integer = 0x2 (“tf”)

}

TypeConstant[0] {

UBYTE Type = 0x8

LONG Integer = 0x3 (“Hello World”)

}

ActionPush

UBYTE ActionCode = 0x4F

USHORT Length = 0x0

ActionSetMember

Assign structure member to value, e.g.:

“tf.text = “Hello World”

SWF End

ShowFrame

ActionEnd

ActionSetmember

ActionPush

ActionGetVariable

ActionPush

ActionPop

ActionCallFunction

ActionPush

DoAction

ActionConstantPool

DoAction

…


Summary

• Constants are defined in a string table

• These can be later referenced by an id and inserted onto the stage

• In ActionScript 2.0 this is accomplished with ActionRecord(s) which

are stored in a DoAction SWF tag


Testing Methodology


Testing Methodology

– Manual Testing

– Reverse Engineering

– Fault Injection


Manual Testing

– Binary Editor SWF Template

• Developed by Josh Zelonis

• Breaks down SWF contents and allows on

the fly editing and testing of Flash movies


010 Editor


SWF Template

• Breaks down SWF File structure within 010 Editor

• Allows for the one fly dissection and alteration of SWF files


Manual Testing

– Flash CS3 Professional

• Created ActionScript to examine output of

compiler using Binary Editor template and gain

in depth understand of the ActionScript Compiler


Flash CS3 Professional

Action Script Window

Stage Editor

Toolbar


Reverse Engineering

– Determine which features are in fact

supported by the target decoder

– Determine implementation of security policy

enforcement component

– Look for vulnerabilities to exploit


FlashFire

– Gather Input

– Survey Input

– Mutate Input

– Instrument Process

– Monitor Process

– Event Driven Fault Injection (EDFI)

– Post Mortem bug Analysis (PMA)


FlashFire – Gather Input

– Files are collected from the internet using

the GOOGLE SOAP API

– Files are then cataloged by unique MD5


FlashFire – Survey Input

– During a testing session input is surveyed

and only files with targeted content are

supplied to FlashFire

– Chosen files are reviewed, relevant regions

in the file are marked as good candidates

for mutation


FlashFire – Mutate Input

– Batches of files are retrieved from the

catalog and for each iteration of testing a file

is pulled from the batch and mutated

– The file is mutated by injecting a variety of

faulty input


FlashFire – Process Instrumentation

– Prior to fault injection a series of locations in

the target process are instrumented through

breakpoints to detect their execution

– These locations correlate to events that are

required to synchronize fault delivery


FlashFire – Process Monitoring

– Faults are injected into file input and loaded

into target application

– Events are tightly correlated allow much

faster fault injection and refined detection of

application failure


Event Driven Fault Injection (EDFI)

• What is it?

– Tight coupling between fault injection and target application that is

accomplished using instruction tracing, breakpoints and hooking.

– Allows for correlation of events useful to fault injection

• Pros

– Able to determine distance traveled by mutated data in application

– Able to determine failure of input delivery

– Able to catch even the slightest application failures

– Makes Fault Injection very, very fast

• Cons

– Requires reverse engineering of closed source targets


FlashFire – Post Mortem Analysis

– Failures detected in target application are cataloged with input

that triggered the failure, context of processed during failure

and description of fault that injected to trigger the failure

– ProcessSession.py (Python script) was written to process all

log data and samples recorded during sessions and create a

final report deliverable for vendor


Demonstration

FlashFire


Summary– 3 million injections in 36 hours of testing

– 23 unique vulnerabilities identified

– 785 unique paths to vulnerable code

sequences were identified


Test Results

67%

21%

8%4%

Read Beyond Bounds

Null Pointer

Uninitalized Data

Other


Safe or not?

typedef struct

{

int len;

void *data;

} BLOCK;

…

char *url = NULL;

int GetElement(BLOCK *blk)

{

if(blk->len > 2048)

{

printf("Invalid block size!\n");

return -1;

}

url = (char *)calloc(blk->len,1);

memcpy(url, blk->data, blk->len);

return 0;

}


Read Beyond Bounds

• Occurs when a piece of code reads beyond the bounds of the data

element it is intended to read

• Very common in code that deals with complex binary structures

• Since the reading of data is often overlooked software is often

riddled with these vulnerabilities

Dangers when:

– Compartment chain is not verified

• [A] [B] [C]Len

e.g. 1.) C.Len > B.Len

2.) (C.Len + B.Len) > A.Len

– Skip and continue vs. Skip and Fail


RBB Example

Process Heap

Heap Block #1

(GoodbyeWorld.SWF)

…

ActionConstantPool

…

Heap Block #2

(Response Data)

Constant ID 6String from adjacent heap

Constant ID 5

String from SWF Block

Constant ID 4

String from next SWF Tag

Constant ID 3

“Goodbye World”

Constant ID 2“text”

Constant ID 1

“createTextField”

Constant ID 0

“tf”

Constant Pool

Constant [0]

Constant [1]

Constant [2]

Constant [3]

Constant [4]

Constant [5]

Constant [6]

What if the bounds of these in memory reads are not checked?


Memory Layout

SWF Header

FileAttributes

SetBackgroundColor

DoAction

ActionConstantPool

ActionPush

ActionCallFunction

ActionPop

ActionGetVariable

ActionPush

ActionSetmember

ActionEnd

ShowFrame

SWF End

UBYTE ActionCode – 0x88

USHORT Length - 0x28

USHORT Count - 0x4

Constant[0] - “tf”

Constant[1] - “createTextField”

Constant[2] – “text”

Constant[n] – “Goodbye World!”

…

ActionConstantPool

…

Heap Block

(Application Data)

Heap Block

(GoodbyeWorld.SWF)

Heap Block

(Application Data)

…

Process Memory


Memory Layout - Cont

Process Memory (Flat Model)

Process HeapCRT Heap

Module Private Heap

Green – Free Blocks

Black – Used Blocks

Heap Block

(SCAN.SWF)


Memory Layout - Cont

Heap Buckets

128

Bytes

256

Bytes

512

Bytes 1024

Bytes

Placement can be controlled by altering the size of our block (SWF File Size)

Heap Block

(SCAN.SWF)


Lead into exploit

• String constants are defined and assigned character ID(s)

• Character ID can be later referenced through compiled ActionScript

2.0 instructions (ActionRecords)

• CreateText can be used to write output to the stage


Pseudo code

var heapstr = new Array();

heapstr[0] = "I";

heapstr[1] = "S";

heapstr[2] = "E";

heapstr[3] = "C";

heapstr[4] = const_pool_string_from_heap[0]



...


var buffer:String = "";

for(var i = 0;i < CONSTCNT; ++)

buffer += heapstr[i];


tf.text = buffer;


File organization

• Tag where read begins exists in the middle of file

• Constant pool entries must be referencenced by literal value of

string index therefore cannot be easily coded in loop

• The more strings we want to read the larger our action record

payload will become

• Jump instructions allow execution outside of code regions


Read Beyond Bounds

– Malicious SWF movies of various sizes are delivered to target

browser via markup (e.g. HTML)

– Each SWF reads significant portions of process memory and

the strings are stored in the string pool table

– Strings stored in constant pool will retrieved by referencing

their associated constant ID(s)

– These strings are concatenated together and delivered to a

remote listener. In this case the UI (for demo purposes)


Demonstration

Exploiting Read Beyond Bounds


PoC Statistics

– Highly reliable only fails when memory

boundaries are reached (page boundary)

– Due to nature of exploitation works on every

tested OS and application where flash is

installed and heap is contiguous

– Vulnerabilities affects more system

installations than any other to date? (%99)


Common Misconceptions

– Widely deployed file formats undergo heavy

testing by major vendors and therefore are

hardened

– Compiler and OS security enhancements

prevent the exploitation of the majority of

newly discovered vulnerabilities


Upgrade to Flash 10

• Many vulnerabilities fixed (included the ones I reported)

• Code is more stable

• More features


Closing Comments

• When testing software utilize tools such as PAGEHEAPS. This utility

will reserve a page after each allocation and set the permission to

PAGE_NOACCESS. Any attempt to read, write or execute this page

will generate an exception.

• Train auditors to be on the lookout for read boundary issues and not

just for write boundary issues (buffer overflows).

• These issues primarily affect unmanaged programming languages.

Managed and type safe languages are resilient to these issues.


Contributors

– Josh Zelonis for his work on the 010 Editor

templates


Questions?

Riley Hassell - [email protected]

exploiting rich content - ncc group partners textfield sample (compiled) ubyte actioncode = 0x88...

Documents