Popular websites such as Instagram, eBay, Tumblr and others using JSON with Padding or JSONP remain vulnerable to an exploit tool released today as a proof of concept against a vulnerability in Adobe Flash Player.
Adobe today released an updated version of Flash that patches the vulnerability discovered and reported by Google engineer Michele Spagnuolo. Google, Youtube and Twitter have already fixed the problem on their ends.
Spagnuolo’s tool called Rosetta Flash converts binary SWF files into a file made up of just alpha numeric characters. On sites that accept SWF uploads, an attacker could use the tool to convert a malicious SWF file so that it can be passed as a JSONP callback and then reflected by the endpoint, Spagnuolo said in a blogpost. He added that a vulnerable endpoint could be forced to perform arbitrary requests to the vulnerable domain and lose data to an attacker-controlled site.
“This is a well-known issue in the infosec community, but so far no public tools for generating arbitrary ASCII-only, or, even better, alphanum only, valid SWF files have been presented,” Spagnuolo said. “This led websites owners and even big players in the industry to postpone any mitigation until a credible proof of concept was provided.”
Rosetta Flash requires three factors be present: SWF files must perform GET and POST requests with a cookie to the host domain without a crossdomain.xml check in place; JSONP must be supported because it would allow an attacker to control the first few bytes of output by specifying the callback parameter in the request URL, he said; and SWF files embedded on an attacker’s domain would use a particular content type in order to execute the converted file as Flash.
“This is why allowing users to upload a SWF file on a sensitive domain is dangerous: by uploading a carefully crafted SWF, an attacker can make the victim perform requests that have side effects and exfiltrate sensitive data to an external, attacker-controlled, domain,” Spagnuolo said.
In order to convert the binary SWF file to alphanumeric, Rosetta Flash uses a mashup of zlib compression, Huffman encoders and ADLER32 checksum brute-forcing to map legitimate bytes that are not normally allowed in a Flash file.
“Naturally, since we are mapping a wider charset to a more restrictive one, this is not a real compression, but an inflation,” Spagnuolo said. “We are effectively using Huffman as a Rosetta stone.”
Spagnuolo said he will present the vulnerability and tool at Hack in the Box Malaysia in October; Rosetta Flash is explained also in slides (PDF).
Today’s Flash update, meanwhile, brings the player up to version 18.104.22.168 for Windows and Mac, and 22.214.171.1248 for Linux. Three CVEs are patched in the update, two others in addition to the Spagnuolo issue; all of which are rated critical for Windows and Mac.
“These updates include additional validation checks to ensure that Flash Player rejects malicious content from vulnerable JSONP callback APIs,” Adobe said in its advisory.