欢迎来到 黑吧安全网 聚焦网络安全前沿资讯,精华内容,交流技术心得!

通过flash对gmail进行跨站

来源:转载 作者:佚名 时间:2010-04-22 TAG: 我要投稿

来源:blog.watchfire.com

Gmail uses a Flash movie, named uploaderapi2.swf, for file upload operations. A short investigation revealed that it used two user-input parameters (‘apiInit’ and ‘apiId’) as parameters to ExternalInterface.call(), a class that is used for interaction between Actionscript and the flash player container (a hosting HTML page in the case of browsers).


var flashParams:* = LoaderInfo(this.root.loaderInfo).parameters;
API_ID = "apiId" in flashParams ? (String(flashParams.apiId)) : ("");
API_INIT = "apiInit" in flashParams ? (String(flashParams.apiInit)) :                    
                     ("onUploaderApiReady");
.
..
...
if (ExternalInterface.available) {
          ExternalInterface.call(API_INIT, API_ID);
}

A snippet from uploaderapi2.swf

The code above is vulnerable to a script injection attack: setting apiInit to eval and apiId to arbitrary JavaScript code, results in the execution of the JavaScript in the context of mail.google.com (the Gmail domain). Hence, by luring victims to load a malevolently crafted link, attackers could execute malicious JavaScript in the context of active Gmail sessions and fully impersonate their victims (manipulate and steal sensitive information from their accounts). Like other script injection attacks, a real-world attack could be refined by using techniques such as loading the malicious link in a hidden IFrame.

As can be seen in the screenshot below, before Google patched the aforementioned flaw, loading the following link popped-up an alert message with the cookies that are associated with Gmail’s domain:
https://mail.google.com/mail/uploader/uploaderapi2.swf?apiInit=eval&apiId=alert(document.cookie).

Gmail Script InjectionGmail script injection screenshot

Transparent Attack

As presented in Stefano Di Paola’s famous presentation, one of the interesting characteristics of Flash attacks is the ability to mount transparent attacks in browsers such as Firefox and Google Chrome. Due to the fact that Flash is executed in the client-side, the malicious payload (in this case, the values of apiInit and apiId) can be hidden from the server by adding the ‘#’ sign before the query part of the URL: https://mail.google.com/mail/uploader/uploaderapi2.swf#?apiInit=eval&apiId=alert(document.cookie).

That way, the attacked browser sends a parameter-less request for https://mail.google.com/mail/uploader/uploaderapi2.swf (uploaderapi2.swf is loaded by Gmail with no parameters by default) – this request is therefore regarded by the server as standard and not alarming in any way. However, a successful exploitation is possible since the Flash player refers to the whole URL, including the attack payload, which comes after the ‘#’ sign.

Remediation

The first parameter that is passed to ExternalInterface.call() determines the JavaScript function name to be executed. This parameter (API_INIT) has been updated to contain a hardcoded value (‘onUploaderApiReady’) and does not rely on external user-input any more.

Acknowledgments

I would like to thank the Google security team for their quick responses and the efficient way in which they handled this security issue.

【声明】:黑吧安全网(http://www.myhack58.com)登载此文出于传递更多信息之目的,并不代表本站赞同其观点和对其真实性负责,仅适于网络安全技术爱好者学习研究使用,学习中请遵循国家相关法律法规。如有问题请联系我们,联系邮箱admin@myhack58.com,我们会在最短的时间内进行处理。
  • 最新更新
    • 相关阅读
      • 本类热门
        • 最近下载