Abusing JSONP with Rosetta Flash

PRESENTATION SLIDES (PDF)

In this paper we will present Rosetta Flash, a tool for converting any SWF file to one composed of only alphanumeric characters, in order to abuse JSONP endpoints, making the victim perform arbitrary requests to the domain with the vulnerable endpoint and exfiltrate potentially sensitive data, not limited to JSONP responses, to an attacker-controlled domain.

To better understand the attack scenario it is important to take into account the combination of three factors:

1) With Flash, a SWF file can perform cookie-carrying GET or POST requests to the domain that hosts it, with no crossdomain.xml check. This is why allowing users to upload a SWF file on a sensitive domain is dangerous: by uploading a carefully crafted SWF, an attacker can make the victim perform requests that have side effects and exfiltrate sensitive data to an external, attacker-controlled, domain.

2) JSONP, by design, allows an attacker to control the first bytes of the output of an endpoint by specifying the callback parameter in the request URL. Since most JSONP callbacks are restricted to alphanumeric, ‘_’ and ‘.’, our tool focuses on this very restrictive charset.

3) SWF files can be embedded on an attacker-controlled domain using a Content-Type forcing < object > tag, and will be executed as Flash as long as the content looks like a valid Flash file.

Rosetta Flash exploits zlib, Huffman encoding and ADLER32 checksum bruteforcing to convert any SWF file to another one composed of only alphanumeric characters, so that it can be passed as a JSONP callback and then reflected by the endpoint, effectively hosting the Flash file on the vulnerable domain.

We will provide a full featured proof of concept and ready-to-be-pasted, universal, weaponized PoCs with ActionScript sources (for exfiltrating arbitrary content specified by the attacker in the FlashVars). Mitigations, by Adobe and website administrators, are discussed. High profile Google domains (accounts.google.com, www., books., maps., etc.) were vulnerable and have been recently fixed; Twitter, YouTube, Instagram, Tumblr, Olark and eBay are still vulnerable at the time of writing this abstract.

Because of the sensitivity of this vulnerability, we first disclosed it privately to Adobe PSIRT and the Google Chrome Security Team. Adobe confirmed they pushed a tentative fix in Flash Player 14 beta (Lombard) and are on track to include the fix in the July release.

A CVE identifier has been reserved for the matter – CVE-2014-4671.

CONFERENCE
Location: Track 1 Date: October 15, 2014 Time: 11:30 am - 12:30 pm Michele Spagnuolo