Gainover · 2014/04/17 10:59

0x00 says the previous words

The following is a demo video of how to use flash XSS Rookit vulnerability to steal taobao/Alipay account password, the current vulnerability has been fixed

Because the video website upload are not to pass, had to give a URL:

Static.wooyun.org/files/taoba…

Good Internet speed can download and watch the clear version:

Static.wooyun.org/files/taoba…

2 at the end of our PKAV team in the clouds (http://www.wooyun.org/index.php) to ali (taobao/alipay) reported the vulnerability, the title of the holes looks a little terror, but it is definitely not “title party”. After watching a video demo of the bug, cloud’s vulnerability reviewers gave it a vivid and somewhat aggressive name: “Mine attack”.

Why is it called mine burying? Specific explanations will also be given in this paper.

At that time, Ali launched a 5W reward plan. Someone asked me why this vulnerability was not reported to ASRC (Alibaba Vulnerability Emergency Response Center), but there was no reward for reporting dark clouds.

The answer I gave was, “Ideas come from dark clouds, so repay them.”

I and the team, or more like and agree with the dark clouds on the mechanism of the transparent, can learn from our own perspective, from a user perspective, at least can let the user know what happened, how to protect themselves, just think, if the holes in ever used by hackers to steal the user account and password, then the manufacturer to repair one day, Users have no idea the bug ever happened or how their passwords were stolen.

From the vendor’s point of view: Oh shit! Don’t intimidate users with bugs!

The following take you to feel, this from the dark clouds, and back to the dark clouds loophole course.

0x01 First Vulnerability report

This interesting bug was originally reported on black Cloud by White Hat Neobyte (WooYun: A Flash 0day causes Taobao.com to store XSS (which can form a permanent backdoor). This vulnerability describes how in some Flash applications, By using the Local Shared Object (hereinafter referred to as the LSO) with the ExternalInterface. AddCallback and cause of XSS holes. Since there have been no similar reports, from the developer’s point of view, such vulnerabilities are not very noticeable and defenseless. Let’s take a look at the flow chart of reading FLASH local cache function through the interaction between JS and AS from the perspective of developers:

In this diagram, the red arrows represent function calls and the blue arrows represent the flow of user data. The average developer only cares if the functionality is fully implemented; Security-conscious developers will notice that the data obtained by jsGetData needs to be filtered before entering the DOM, and what security issues do you have if you don’t consider this? A good example is also given by P.Z. on the cloud (WooYun: XSS vulnerability on Taobao); But now we’re at the worst-case scenario: “Whether you’re a security-conscious programmer or not, you’re likely to fall into this trap!” .

What kind of pit is it?

We need to take a closer look at what javascript does when it calls the function interface provided by FLASH. The following figure shows how we call the jsGetData function to retrieve FLASH’s locally cached data:

This is a normal process for retrieving data, assuming that the data stored in the LSO is AAAAAAAAAAAA. Finally, the value of our data variable is also AAAAAAAAAAAA, which is, of course, the ideal situation.

If you know anything about DOM XSS, eval is evil! We learned xSS-10 together in those years. Dom XSS Advancements (encounter Eval), so you can imagine the following: Change the data stored in the LSO:

Eval (‘”AAAAAAAAAAAA”‘);

If we replace the stored data with:

#! javascript AAAAAA"; alert(1); //AAAAAACopy the code

Returning data will perform:

#! javascript eval('"AAAAAA"; alert(1); //AAAAAA"');Copy the code

As you can see, we inserted an Alert (1) into the eval data, and when eval is executed, a popover is performed! (You can also open F12’s Console and copy the code above to try it out!)

However, the above is only our hypothetical situation. FLASH will actually escape the returned data, escaping the double quotation marks (“) to backslash + double quotation marks (\”), which means that when we change the stored data, we actually execute the following code:

#! javascript eval('"AAAAAA\"; alert(1); //AAAAAA"');Copy the code

It’s this escape that kills the idea above. FLASH does not filter backslashes (\), though it does filter double quotes (“). We just need to modify the code as follows:

#! javascript AAAAAA\"; alert(1); //AAAAAACopy the code

The returned data will be the following:

#! javascript "AAAAAA\\"; alert(1); //AAAAAA"Copy the code

Eval is then returned as a script.

Eval (' return content ');Copy the code

The double quotation mark (“) is escaped to backslash + double quotation mark (“), but the backslash is escaped by the backslash we added.

If you want to test the effect on the console, you can execute the following code

#! js eval('"AAAAAA\\\\"; alert(1); //AAAAAA"');Copy the code

//– the description is indicated and corrected here by @piaca, since the backslash needs to be escaped when the actual content is written as a string.

Summary: What we know is that if we can store malicious data in LSO, when the HTML page calls the jsGetData function in javascript and then reads the malicious data from Flash’s local storage using the asGetData function in ActionScript, It will trigger our malicious code.

Next question, how do we add our malicious data to the LSO? The most violent method is, rob your computer, unplug your network line, open your hard disk, and then change it! , & @… ! % &! % @… Be gentle, be gentle!

In our first diagram, the developers implemented it for us as well

jsSetData -> asSetData -> LSO
Copy the code

In other words, we can modify data in LSO by calling jsSetData in Javascript. However, for security reasons, the external function interface provided by FLASH can not be called at all times. By default, only http://A.com web files can call the function interface provided by FLASH files under http://A.com, as shown below:

In this case, there is no direct way to modify the data under the default security Settings. In addition, the cache used by FLASH files under each domain name is independent, so normally we can’t use the FLASH file at http://B.com to modify the FLASH cache under http://A.com.

However, this “JS read and write FLASH cache” function module, will naturally require a feature, is to write once, everywhere available, from the point of view of development, this is a natural thing, convenient, very convenient. As a result, the developer added the following sentence to the code:

#! javascript Security.allowDomain("*");Copy the code

Flash CS4 Professional ActionScript 2.0), which breaks the default security Settings of Flash as described above. Any web page under the domain name can call the addCallback interface provided by FLASH files in A.com.

This way, we can build up the schematic diagram of the entire vulnerability:

This graph has a lot of arrows. When a hacker creates a malicious page, we take the victim as the starting point. When the victim visits the malicious page, he or she will perform a series of operations to store malicious data in LSO. This process is called “mine burying”. Where could it be mined? The answer is lots of places:

Such as:

Lower down: Hacker A sends you A link and you click on it. Imperceptibly a bit: when you dot web page everywhere! A bit more advanced: you read a hacker's blog/log, or a hacker to your Qzone log posted a message or comment, content has been implanted XSS code (combined with QQ XSS vulnerability), you click open. Then before you know it a little more advanced: your QQ one day received a gift message (QQ space presents function XSS can attack any designated QQ number users), or one day a stranger came to QQ dialog box (twitter is circulated in the QQ chat client and XSS (account) can log in and control others).Copy the code

In short, if it is a heart to do, you! The possibility of being mined is very high.

When the victim is mined and visits the target site again (like Taobao or Alipay in this case), the malicious code planted by the hacker is triggered. Bomb! The thunder exploded! In practice, of course, hackers are unlikely to go for a hoax “Bomb!” But stealthily, silently using the silent “thunder” to steal the victim’s account number and password.

See I typed so many, posted so many pictures, do you think the potential harm of this vulnerability is big? I think it’s pretty big anyway, but let’s take a look at the vendor’s response to Neobyte’s submission:

Damage level: Vulnerability Rank: 8Copy the code

Yes, vendors don’t seem to feel the damage.

0x02 Second Vulnerability report

On October 24, 2013, I was able to check the details of the vulnerability submitted by Neobyte, so I studied the vulnerability submitted by Neobyte. As I have also studied FLASH, after understanding the cause, Also download the holes mentioned in the defect of FLASH files (acjstb.aliyun.com/actionlog/f…). . Here’s the fix code:

#! as3 public function getlso():String{ var _local1:SharedObject = SharedObject.getLocal("kj"); var _local2:RegExp = new RegExp("[a-zA-Z]"); if (_local1.data.key == undefined){ return (""); }; if (_local2.test(_local1.data.key)){ this.setlso(""); return (""); }; return (_local1.data.key); }Copy the code

For business purposes, Taobao does not need letters for the data stored in LSO here, but the malicious code needs to use letters, such as alert. So the developers added a regular judgment: “Return an empty string if there are letters in the retrieved data.” Yes, it looks like it’s been fixed, but there are still problems. For one thing, the developers didn’t filter out the backslashes () that really caused the potential damage, and for another, Javascript functions can be called without any letters at all. Take a look:

#! As3 // We can create a Function as follows: new Function("alert(1)"); / / can not new Function (" alert (1) ") (a) / / can transform the Function of "..." .substr.constructor("alert(1)")() "] [" constructor "] [" substr (" alert (1) ") all () / / string escape "..." [" \ 163\165\142\163\164\162 "] [" \ 143\157\156\163\164\162\165\143\164\157\162 "] (" \ \ 154\145\162\164\141\61 50 \ "51) ()Copy the code

This allows us to execute alert(1) without letters. Using the malicious code construction technique described in the previous section, we simply replace AAAAAAAAAAAAAA with the following code:

#! javascript ... [" \ \ "163\165\142\163\164\162"] [" \ 143\157\156\163\164\162\165\143\164\157\162 "] (" \ 141\154\145\162\164, 50, 61, 51 ") () / /.Copy the code

The vulnerability appeared again. Although I had thought of the great harm of this vulnerability for fishing at that time, I didn’t have the motivation to do a fishing demonstration. Ali had just repaired the vulnerability, but he just wanted to remind the developers of the perfect repair out of technical kindness. So, I “embarrassed” boarded my other vest number, sent a sequel: WooYun: a flash 0day led to taobao storage XSS [sequel]. At that time, I gave the bug a self-rating of 8 points, because the original author Of the bug, Neobyte, also only 8 points, I didn’t dare to ask for more. Instead, they only gave me 5 points:

Damage level: Medium vulnerability Rank: 5Copy the code

0x03 Third Vulnerability Report

Well, I have to say, why a third time? Mainly because of the top 5! Personally, if a vulnerability is fixed, and then bypassed, this is a more serious situation, how to say should not give 5 points, at least also get 6 points is no! . This 5 points greatly stimulated my “desire for revenge” and made me want to bypass their fix again and then do a massive fishing demonstration to show them that this can never be a 5!! . But this time their fix didn’t have a good way around it! Although so, every three or five of, I still can study study, not afraid of thief steal, afraid of thief remember……. Until one day, I noticed that the fix in FLASH had been changed and, at first glance, I could see that the fix had been changed again. The new fix code is as follows:

#! javascript private function getlso():String{ var _local1:SharedObject = SharedObject.getLocal("kj"); var _local2:RegExp = new RegExp("[\\({]"); if (_local1.data.key == undefined){ return (""); }; if (_local2.test(_local1.data.key)){ this.setlso(""); return (""); }; return (_local1.data.key); }Copy the code

As you can see, the regular expression _local2 only filters (and {, and as mentioned earlier, the correct filter should be filter \. After the baptism of the front 2 rounds, I feel that security personnel should be aware of the harm \, why will there be filtering errors? I have also given the following guesses in the vulnerability description, and after confirmation, the answer is B. After all, I’ve been writing for years, and RegExp is a pit I’ve fallen into several times.

A. The students responding to the vulnerability did not see my repair suggestions and passed them on to the developers. [\\({] is a set of \, (and}. In fact, when creating RegExp regular expressions, you need to write [\\\\({]. The reason is that \ is an escape character in strings and an escape character in regex.Copy the code

Note, of course, that this re does not allow (and {, so can you still execute javascript code? The answer is yes, as follows:

#! javascript location.href="javascript:alert%28129";Copy the code

Execute js using location.href and urL-encode parentheses and curly braces.

Well, there it is again, and this time I don’t want to score a miserable 5! So I took the time to write a code that actually works, and recorded the first video of this article, and wrote a bug report (WooYun: a vulnerability that allows massive, silent theft of Taobao/Alipay accounts and passwords – a video demonstration of the mine attack). Ali gave me a 15 this time, but he still didn’t give me my 20. Well, from the user’s point of view, it’s definitely worth 20 points, but manufacturers don’t always look out for the user.

Damage level: high vulnerability Rank: 15 confirm time: 2014-02-26 10:25Copy the code

0x04 for developers

Note the addCallback: When addCallback is used in Flash to provide function interfaces externally, if the return value of the corresponding function in as is String, Array, or Object, and the returned data contains controllable data, you are advised to filter the returned value by filtering out the backslash (). If no filtering is done, a similar case can occur to WooYun xSS-14. Here I will not give the specific filtering code, I believe that the average developer’s AS is better than mine, here is the pseudo-code:

#! Function asFunction():String{var data:String=" XXX "; Var obj:Object={"name":" user controllable data "}; . Data = filter (data); Obj = traversal filter (obj); return data; Or return obj. }Copy the code

Don’t abuse * | * Security. AllowDomain (” * “) : * * is not very, very, very need, proposed to allowDomain limit under the specified domain name, and do not use * for convenience. Other security issues may arise because of the use of *.

0x05 For common users

Because such vulnerabilities are so subtle, there should be no security software to protect against such attacks. Since most manufacturers don’t fix similar problems, we can’t rely on them. If we clean the Flash Player cache as regularly as possible, theoretically we can greatly reduce the damage caused by such vulnerabilities.

Flash’s local cache is stored in a directory called #SharedObjects. If you use Everything, you can use Everything to find all the #SharedObjects directories. Then the contents of the directories under these directories (consisting of 8 digits/letters) are deleted. (Of course, deleting data in the #SharedObjects directory might cause some FLASH games or FLASH apps to be re-downloaded, but security is more important than that.)

If you don’t use Everything, in the following table lists the IE and chrome Flash cache directory, find the corresponding directory can be cleaned up, other browser users, such as 360 * * * | | | | | *, sogou, can search SharedObjects under the C disk directory delete accordingly.

Internet Explorer C: Documents and Settings user Name Application Data Macromedia Flash Player #SharedObjects (Windows XP) C:\Users\ Usernames \AppData\ Macromedia\Flash Player\#SharedObjects\ (Win 7) Chrome C:\Documents and Settings\ Usernames \Local Settings\Application Data\Google\Chrome\User Data\ Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects (Win XP) C:\Users\ Username \AppData\Local\Google\Chrome\User Data\ Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects (Win 7) * [user directory] may be Profile+ number or DefaultCopy the code

The guard software provides the garbage clearing function. However, the FLASH cache clearing function may not be enabled in the default Settings. Therefore, you need to manually select FLASH Player Cache clearing. Here take Kingsoft guard as an example: clean up garbage -> other commonly used software generated garbage files ->Flash Player cache. However, this method may not completely clean up, for example, it does not clean up chrome flash cache, so it is recommended to use the above method to clean up manually.

0x06 says what follows

Although the title of this vulnerability is to say “steal taobao/Alipay account and password”, some people think that anyway do not know the password of payment, it does not matter! However, the potential damage caused by this vulnerability is not just taobao/Alipay account and password. Just think, if the login page of Taobao is combined with a QQ XSS vulnerability, what information can we get? Taobao/alipay account, password, QQ account and QQ related information (for details on what QQ XSS can do, see jannock’s WooYun: Cross-site scripting – can make the battlefield further away (talk about Tencent’s architecture flaws), the situation in 2012 has improved, but the current situation still seems not so good). In addition, the password level of taobao/Alipay accounts involving cash is often very high, and alipay login password may also be QQ password, so once such passwords are leaked, it may involve more serious information leakage in the future.