exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

as3socket.txt

as3socket.txt
Posted Aug 10, 2007
Authored by David Neu, fukami | Site sektioneins.de

Due to a design flaw in ActionScript 3 socket handling, compiled Flash movies are able to scan for open TCP ports on any host reachable from the host running the SWF, bypassing the Flash Player Security Sandbox Model and without the need to rebind DNS.

tags | advisory, tcp
SHA-256 | 16d0c77c4bee6fdc5783a4fe10cd99ae05377191116b62123215f326a9483e6b

as3socket.txt

Change Mirror Download
Design flaw in AS3 socket handling allows port probing

# Summary
Due to a design flaw in ActionScript 3 socket handling, compiled
Flash movies are able to scan for open TCP ports on any host
reachable from the host running the SWF, bypassing the Flash Player
Security Sandbox Model and without the need to rebind DNS.

# Technical background
In AS3 Adobe introduced a new socket-related event called
SecurityErrorEvent. This event is always thrown when a Flash Player
tries to connect to a socket that it is not allowed to connect to by
policy.

The problem with the SecurityErrorEvent is that it's thrown
immediately when a Flash Player tries to connect to a closed TCP
port. If a service is listening on that port the Flash Player writes
the string "<policy-file-request/>" and waits for response from the
service. Nearly no TCP-service will respond to this request.

We can assume the following: When trying to connect to a socket that
the SWF is not allowed to and it doesn't get a SecurityErrorEvent
within 2 seconds the port is most likely open.

A new Flash player instance is used for every probed port because the
Flash Player sends only one policy-file request per player per host
per port.

# Tested platforms
Works on:
* Windows XP SP2: Internet Explorer 6 / Flash Player 9.0.47.0
* Windows XP SP2: Firefox 2.0.0.5 / Flash Player 9.0.47.0
* Windows XP SP2: IE 7.0.5730.11 Flash Player 9.0.47.0
* Ubuntu Edgy: Firefox 2.0.0.5 / Flash Player 9.0.47.0
* Mac OSX 10.4.10: Safari 2.0.4 / Flash Player 9.0.47.0
* Mac OSX 10.4.10: Safari 3.0.2 / Flash Player 9.0.47.0
* Mac OSX 10.4.10: Firefox 2.0.0.6 / Flash Player 9.0.47.0
* Solaris 10 i86: Firefox 2.0.0.3 / Flash Player 9.0.47.0
Doesn't work as expected on:
* Mac OSX 10.4.10: Opera 9.22 / Flash Player 9.0.47.0

# Known limitations
* The Scanner does not work on services that close the TCP-
Connection immediately after they receive Bytes that they don`t
"understand". The port is reported as closed because the
SecurityErrorEvent is thrown when the TCP-Connection is closed.
* The Scanner does not always work as expected when scanning
hosts located in the internet (e.g. google.com). This maybe happens
due to stateful inspection firewalls that close the connections or
long TCP-response times.

# Disclosure Timeline
* 2007/07/23: Problem discovery
* 2007/07/24: PoC available
* 2007/07/25: Vendor notification
* 2007/08/09: Public demonstration at CCCamp

# Possible Fixes
Flash-Player Side (Adobe)
* TOTALLY REMOVE the SecurityErrorEvent (it`s useless, it`s just
harder to find errors with socketservers without the event)
* Remove the SecurityErrorEvent in the Release-Players and keep
it in the debug players
* Make the SecurityErrorEvent behave EXACTLY the same for opened
an closed ports
User Side
* Disable Flash
* Only allow Flash from trusted sites
* Downgrade Player to Version 8

# Links
* Flex 2 Socket: http://livedocs.adobe.com/flex/2/langref/flash/
net/Socket.html
* Flex 2 SecurityErrorEvent: http://livedocs.adobe.com/flex/2/
langref/flash/events/SecurityErrorEvent.html
* Flash Player 9 Security white paper: http://www.adobe.com/go/
fp9_0_security
* Settings Manager: http://www.macromedia.com/support/
documentation/en/flashplayer/help/settings_manager06.html

# Live PoC scanner
* http://scan.flashsec.org/

# Source Code
* http://scan.flashsec.org/classes/Main.as (compile using Adobes
Flex2 SDK)

# Credits
* David Neu david.neu@gmail.com Problem-Discovery and PoC
* fukami, SektionEins, http://sektioneins.de/



Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close