http://lcamtuf.blogspot.com/2011/03/other-reason-to-beware-of.html
March 06, 2011
The other reason to beware ExternalInterface.call()
Adobe Flash has a function called ExternalInterface.call(...), which implements a JavaScript bridge to the hosting page. It takes two parameters: the first one is the name of the JavaScript function to call. The second one is a string to pass to this function.
It is understood that the first parameter should not be attacker-controlled (of course, mistakes happen :-). It is also understood that there is no inherent harm in putting user input in the second parameter, if the callback function itself is not behaving stupidly; in fact, Adobe documentation gives an example that follows this very pattern:
...
ExternalInterface.call("sendToJavaScript", input.text);
...
Such a call would be translated to an eval(...) statement injected on the embedding page. This statement looks roughly the following way:
try {
__flash__toXML(sendToJavaScript, "value of input.text"));
} catch (e) {
"<undefined/>";
}
When writing the supporting code behind this call, the authors remembered to use backslash escaping when outputting the second parameter: hello"world becomes hello\"world. Unfortunately, they overlooked the need to escape any stray backslash characters, too.
So, try to figure out what happens if the value of input.text is set to the following string:
Hello world!\"+alert(1)); } catch(e) {} //
I reported this problem to Adobe in March 2010. In March 2011, after following up, I received the following response:
"We have not made any change to this behavior for backwards compatibility reasons."
Caveat emptor :-)
解决时发现这个xss是攻击者利用了Adobe的一个已知漏洞,我们简称之为ExternalInterface.call 注入,此漏洞于2010.03已经被report给Adobe了,但是被Adobe拒绝修复,官方回复是: "We have not made any change to this behavior for backwards compatibility reasons." 详细可以参考:http://lcamtuf.blogspot.com/2011/03/other-reason-to-beware-of.html 简单来说,Adobe flash里提供了一个调用外部js的方法 ExternalInterface.call(...),此方法有两个参数,第一个参数是要调用的js函数名,第二个参数是传递给这个函数的参数。这个call方法使用了eval实现函数的调用,最后生成的代码有一段是: try { __flash__toXML(js_function, "params"));} catch (e) { ""; } 很明显,参数params里面不能有“"”,以防止try块里面的函数调用被破坏,Adobe的开发人员也注意到了这一点,所以他们会转义掉“"”。 例如,params如果是xxx"yy,那么会转成xxx\"yy。 但是,他们忘了转义“\”,所以如果params是xxx\"yy,那么最后得到的是xxx\\"yy。 注入漏洞就此产生。 攻击者可以构造这样的params来进行xss攻击: 1:\",alert(1)));}catch(e){}// 2:\"))}catch(e){alert(2)}// 经由Adobe eval生成的js代码则大致如下: try { __flash__toXML(js_function("\\",alert(1)));}catch(e){}//")) ; } catch (e) { ""; } try { __flash__toXML(js_function("\\"))}catch(e){alert(2)}//")) ; } catch (e) { ""; } 可以看到,如果你在flash as代码里使用了 flash.external.ExternalInterface.call (),并且直接使用用户输入作为第二个参数的话,那么你就存在上面论述的xss风险。 我们建议的修复方案是,对第二个参数做限制,使用前对用户输入进行过滤,一般来说,过滤掉\、/这样的特殊字符即可,具体可由实际需要而定。也可以不允许使用用户输入作为第二个参数。seanzhu,本内容来自腾讯内部分享,请勿外传!
March 06, 2011
The other reason to beware ExternalInterface.call()
Adobe Flash has a function called ExternalInterface.call(...), which implements a JavaScript bridge to the hosting page. It takes two parameters: the first one is the name of the JavaScript function to call. The second one is a string to pass to this function.
It is understood that the first parameter should not be attacker-controlled (of course, mistakes happen :-). It is also understood that there is no inherent harm in putting user input in the second parameter, if the callback function itself is not behaving stupidly; in fact, Adobe documentation gives an example that follows this very pattern:
...
ExternalInterface.call("sendToJavaScript", input.text);
...
Such a call would be translated to an eval(...) statement injected on the embedding page. This statement looks roughly the following way:
try {
__flash__toXML(sendToJavaScript, "value of input.text"));
} catch (e) {
"<undefined/>";
}
When writing the supporting code behind this call, the authors remembered to use backslash escaping when outputting the second parameter: hello"world becomes hello\"world. Unfortunately, they overlooked the need to escape any stray backslash characters, too.
So, try to figure out what happens if the value of input.text is set to the following string:
Hello world!\"+alert(1)); } catch(e) {} //
I reported this problem to Adobe in March 2010. In March 2011, after following up, I received the following response:
"We have not made any change to this behavior for backwards compatibility reasons."
Caveat emptor :-)
解决时发现这个xss是攻击者利用了Adobe的一个已知漏洞,我们简称之为ExternalInterface.call 注入,此漏洞于2010.03已经被report给Adobe了,但是被Adobe拒绝修复,官方回复是: "We have not made any change to this behavior for backwards compatibility reasons." 详细可以参考:http://lcamtuf.blogspot.com/2011/03/other-reason-to-beware-of.html 简单来说,Adobe flash里提供了一个调用外部js的方法 ExternalInterface.call(...),此方法有两个参数,第一个参数是要调用的js函数名,第二个参数是传递给这个函数的参数。这个call方法使用了eval实现函数的调用,最后生成的代码有一段是: try { __flash__toXML(js_function, "params"));} catch (e) { ""; } 很明显,参数params里面不能有“"”,以防止try块里面的函数调用被破坏,Adobe的开发人员也注意到了这一点,所以他们会转义掉“"”。 例如,params如果是xxx"yy,那么会转成xxx\"yy。 但是,他们忘了转义“\”,所以如果params是xxx\"yy,那么最后得到的是xxx\\"yy。 注入漏洞就此产生。 攻击者可以构造这样的params来进行xss攻击: 1:\",alert(1)));}catch(e){}// 2:\"))}catch(e){alert(2)}// 经由Adobe eval生成的js代码则大致如下: try { __flash__toXML(js_function("\\",alert(1)));}catch(e){}//")) ; } catch (e) { ""; } try { __flash__toXML(js_function("\\"))}catch(e){alert(2)}//")) ; } catch (e) { ""; } 可以看到,如果你在flash as代码里使用了 flash.external.ExternalInterface.call (),并且直接使用用户输入作为第二个参数的话,那么你就存在上面论述的xss风险。 我们建议的修复方案是,对第二个参数做限制,使用前对用户输入进行过滤,一般来说,过滤掉\、/这样的特殊字符即可,具体可由实际需要而定。也可以不允许使用用户输入作为第二个参数。seanzhu,本内容来自腾讯内部分享,请勿外传!
431
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
