Adobe Flash Player ActionScript SecurityErrorEvent绕过安全限制漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1189477 漏洞类型 权限许可和访问控制
发布时间 2007-08-09 更新时间 2009-02-09
CVE编号 CVE-2007-4324 CNNVD-ID CNNVD-200708-191
漏洞平台 N/A CVSS评分 5.0
|漏洞来源
https://www.securityfocus.com/bid/25260
https://cxsecurity.com/issue/WLB-2007080062
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200708-191
|漏洞详情
FlashPlayer是一款非常流行的FLASH播放器。FlashPlayer中的ActionScript3(AS3)允许远程攻击者通过指定了连接的SWF电影绕过安全沙盒模型获得敏感信息并端口扫描任意主机,然后使用SecurityErrorEvent错误的定时差异判断端口是否开放。AS3Adobe引入了新的套接字相关事件SecurityErrorEvent。当FlashPlayer试图连接到关闭的TCP端口时会立即出现SecurityErrorEvent,如果服务在监听该端口FlashPlayer会写出字符串然后等待服务的响应,但几乎没有TCP服务会响应这个请求,因此当用户试图连接到不允许SWF的套接字时,如果在2秒钟内没有得到SecurityErrorEvent,则该端口是开放的。
|漏洞EXP
Design flaw in AS3 socket handling allows port probing

# Summary
Due to a design flaw in ActionScript 3 socket handling, compiled
Flash movies are able to scan for open TCP ports on any host
reachable from the host running the SWF, bypassing the Flash Player
Security Sandbox Model and without the need to rebind DNS.

# Technical background
In AS3 Adobe introduced a new socket-related event called
SecurityErrorEvent. This event is always thrown when a Flash Player
tries to connect to a socket that it is not allowed to connect to by
policy.

The problem with the SecurityErrorEvent is that it's thrown
immediately when a Flash Player tries to connect to a closed TCP
port. If a service is listening on that port the Flash Player writes
the string "<policy-file-request/>" and waits for response from the
service. Nearly no TCP-service will respond to this request.

We can assume the following: When trying to connect to a socket that
the SWF is not allowed to and it doesn't get a SecurityErrorEvent
within 2 seconds the port is most likely open.

A new Flash player instance is used for every probed port because the
Flash Player sends only one policy-file request per player per host
per port.

# Tested platforms
Works on:
* Windows XP SP2: Internet Explorer 6 / Flash Player 9.0.47.0
* Windows XP SP2: Firefox 2.0.0.5 / Flash Player 9.0.47.0
* Windows XP SP2: IE 7.0.5730.11 Flash Player 9.0.47.0
* Ubuntu Edgy: Firefox 2.0.0.5 / Flash Player 9.0.47.0
* Mac OSX 10.4.10: Safari 2.0.4 / Flash Player 9.0.47.0
* Mac OSX 10.4.10: Safari 3.0.2 / Flash Player 9.0.47.0
* Mac OSX 10.4.10: Firefox 2.0.0.6 / Flash Player 9.0.47.0
* Solaris 10 i86: Firefox 2.0.0.3 / Flash Player 9.0.47.0
Doesn't work as expected on:
* Mac OSX 10.4.10: Opera 9.22 / Flash Player 9.0.47.0

# Known limitations
* The Scanner does not work on services that close the TCP-
Connection immediately after they receive Bytes that they don`t
"understand". The port is reported as closed because the
SecurityErrorEvent is thrown when the TCP-Connection is closed.
* The Scanner does not always work as expected when scanning
hosts located in the internet (e.g. google.com). This maybe happens
due to stateful inspection firewalls that close the connections or
long TCP-response times.

# Disclosure Timeline
* 2007/07/23: Problem discovery
* 2007/07/24: PoC available
* 2007/07/25: Vendor notification
* 2007/08/09: Public demonstration at CCCamp

# Possible Fixes
Flash-Player Side (Adobe)
* TOTALLY REMOVE the SecurityErrorEvent (it`s useless, it`s just
harder to find errors with socketservers without the event)
* Remove the SecurityErrorEvent in the Release-Players and keep
it in the debug players
* Make the SecurityErrorEvent behave EXACTLY the same for opened
an closed ports
User Side
* Disable Flash
* Only allow Flash from trusted sites
* Downgrade Player to Version 8

# Links
* Flex 2 Socket: http://livedocs.adobe.com/flex/2/langref/flash/
net/Socket.html
* Flex 2 SecurityErrorEvent: http://livedocs.adobe.com/flex/2/
langref/flash/events/SecurityErrorEvent.html
* Flash Player 9 Security white paper: http://www.adobe.com/go/
fp9_0_security
* Settings Manager: http://www.macromedia.com/support/
documentation/en/flashplayer/help/settings_manager06.html

# Live PoC scanner
* http://scan.flashsec.org/

# Source Code
* http://scan.flashsec.org/classes/Main.as (compile using Adobes
Flex2 SDK)

# Credits
* David Neu david.neu (at) gmail (dot) com [email concealed] Problem-Discovery and PoC
* fukami, SektionEins, http://sektioneins.de/
|受影响的产品
Turbolinux wizpy 0 Turbolinux FUJI 0 SuSE Suse Linux Enterprise Desktop 10 SP2 SuSE Suse Linux Enterprise Desktop 10 SP1 Sun Solaris 10_x86 Sun Solaris 10_sparc
|参考资料

来源:US-CERT
名称:TA07-355A
链接:http://www.us-cert.gov/cas/techalerts/TA07-355A.html
来源:BID
名称:25260
链接:http://www.securityfocus.com/bid/25260
来源:BUGTRAQ
名称:20070809DesignflawinAS3sockethandlingallowsportprobing
链接:http://www.securityfocus.com/archive/1/archive/1/475961/100/0/threaded
来源:REDHAT
名称:RHSA-2008:0980
链接:http://www.redhat.com/support/errata/RHSA-2008-0980.html
来源:REDHAT
名称:RHSA-2008:0945
链接:http://www.redhat.com/support/errata/RHSA-2008-0945.html
来源:REDHAT
名称:RHSA-2007:1126
链接:http://www.redhat.com/support/errata/RHSA-2007-1126.html
来源:VUPEN
名称:ADV-2008-2838
链接:http://www.frsirt.com/english/advisories/2008/2838
来源:VUPEN
名称:ADV-2007-4258
链接:http://www.frsirt.com/english/advisories/2007/4258
来源:www.adobe.com
链接:http://www.adobe.com/support/security/bulletins/apsb08-18.html
来源:www.adobe.com
链接:http://www.adobe.com/support/security/bulletins/apsb07-20.html
来源:www.adobe.com
链接:http://www.adobe.com/devnet/flashplayer/articles/fplayer10_security_changes.html
来源:support.nortel.com
链接:ht