((((λf.(λx.(fx)))(λy.y))(λz.z)))

<< home >>

0x03a: ASD - Australian Signals Intelligence Agency XSSposed (PATCHED)

[ DETAILS ]

This particular vulnerability was identified on the ASD's non-classified internet facing web service.

[ INTRODUCTION ]

This vulnerability was responsibly disclosed to the vendor and CERT (Computer Emergency Response Team) upon identification and has since been patched. Vulnerability confirmation and minor technical details can be verified on openbugbounty. In addition to the ASD, I have discovered similar vulnerabilities within other high profile corporate and government agencies. Within a few days to a week of performing SWF analysis, I managed to identify vulnerabilities in Amazon AWS, Cisco, Vodafone, Juniper Networks, Fedex, NASA, US Army, NATO and more. The vulnerability itself was quite simple, again, not very sophisticated. However, the nature of this particular vulnerability requires a white-box analysis approach. Therefore, it is essential to have a generic understanding of ActionScript (similar to JavaScript; both being ECMA-based in terms of syntax) in order to identify a vulnerability as well as grasp an idea of the generic code flow. Like other languages that can be vulnerable to XSS, failure to properly sanitize user input within ActionScript can allow these vulnerabilities to take place. Additionally, there exists a few vulnerabilities that are specific to ActionScript itself.

[ LOCATING THE SWF ]

After placing the ASD in my LoS, I began looking for vulnerabilities. Generally, with any target in the wild, I begin with manually auditing their HTTP content for OWASP's top 10. I immediately identified one of the most basic vulnerabilities there is, XSS. After spending a few minutes trying to bypass their WAF, I decided that I'm likely not going to bypass the filters incorporated by ASD. Instead, I decided to look for an alternative route to pop the alert(). This led to the search of seeking SWF files within the ASD's domain space (*.asd.gov.au). After submitting a few queries via an indexed search, I managed to locate several SWFs which all pertained to the main domain.

[ CONDUCTING A WHITE-BOX ANALYSIS ]

After pulling the SWFs via wget, the local files were decompiled into .flr via the use of flare (SWF Decompiler). This allowed the decompiled source code to be opened with any text editor, and thus a vulnerability audit via code analysis was initiated.

It was through this process, that one of the several SWFs were identified of containing a vulnerability that allowed an external user to alter a variable’s input. Thus, breaching the integrity of the file's behaviour. Below you'll find an extract containing the vulnerable segment of the source.


[...]

button 48 {
    on (release) {
      var str = (_level0.clickTag != undefined) ? _level0.clickTag
      getURL(str, '');
    }
  }
  
[...]
The above illustrates a vulnerability within the clickTag flashvar. During the analysis, it was discovered that the clickTag flashvar is associated with the release of button 48. This ‘button’ was mapped to the entire flash movie. Meaning, that the value stored within this flashvar is called strictly upon the condition of the victim/user clicking anywhere on the movie itself. Therefore, this vulnerability does require a form of social interaction for successful exploitation, as the user is required to click on the flash movie to trigger the malicious client-side script. However, since the flash movie prompts the user to click via 'Start Here' it's likely that the end-user will commit this interaction.

The clickTag flashvar was initially declared to serve a purpose of re-directing a user to an informative page segment within the ASD's HTTP content. However, due to the lack of variable/parameter definition, as well as, lack of input sanitization, use of unsafe GetURL() method, and incorporation of insecure global variables (i.e. _level0, _root, _global etc). An attacker is able to control the behaviour of the vulnerable flashvar in question. This is achieved by assigning malicious values to that flashvar and calling it via GET. In this particular scenario, this allowed malicious unvalidated/open redirects, as well as, allowing an attacker to execute malicious client-side scripts via the following XSS vector;'javascript:MaliciousScriptHere'.

[ PROOF OF CONCEPT ]

0x01: Unvalidated Redirect
http://asd.gov.au/videos/cyber-main-small.swf?clickTag=//example.com

0x02: Cross Site Scripting (XSS)
http://asd.gov.au/videos/cyber-main-small.swf?clickTag=javascript:confirm(document.cookie)

It should be noted that cookies cannot be stolen due to the HttpOnly flag being set. Nevertheless, this vulnerability could have been leveraged for payload delivery for more sophisticated attacks on the grounds of ASD's reputability. 

ret2eax@h0m3cr3w:~$ curl -I asd.gov.au

HTTP/1.1 200 OK
Date: REDACTED
Content-Type: text/html
Connection: keep-alive
Set-Cookie: REDACTED; REDACTED; path=/; domain=.asd.gov.au; HttpOnly
Last-Modified: REDACTED
Vary: Accept-Encoding
Server: REDACTED
CF-RAY: REDACTED

[ NOTIFICATION & DISCLOSURE TIMELINE ]


28 September 2016 at 08:28 GMT	Vulnerability reported via Open Bug Bounty
29 September 2016 at 07:31 GMT	Notification sent to generic security emails
29 September 2016 at 07:31 GMT	Vulnerability verified and confirmed
7 October 2016 at 09:44 GMT	Vulnerability patched and marked as fixed
9 October 2016 at 03:21 GMT	Vulnerability details publicly disclosed