Watchfire Application Security Insider

Prologue

Our research team has identified a web-based attack technique that exploits the growing number of applications that require a web server being run on a local machine. Cross-Environment Hopping (CEH) is a result of this trend combined with the current limitations in browsers’ same-origin policy access restrictions.

The CEH technique enables an attacker to exploit a local XSS vulnerability in order to “hop” to a different environment, such as another locally installed server. Under certain circumstances it may even be possible for an attacker to access remote network services such as network share drives, remote procedure calls, intranet mail, SQL servers, and so on.

This write-up will prove that the current implementation of same origin policy on the localhost in up-to-date Web browsers, combined with the presence of an XSS vulnerability, creates a special set of circumstances that enable environment hopping, and that the resulting malicious activity can be performed on any server running on a designated port.

We would like to credit Rob Carter for his great work in describing the problematic nature of exploiting XSS vulnerabilities in local web servers by taking advantage of the promiscuous security behavior of Internet Explorer 6.

We recently researched an interesting DOM-based XSS vulnerability in Adobe Flex 3 applications that exploits a scenario in which two frames (parent & son) interact with each other, without properly validating their execution environment.

In our research, we have seen that in some cases, it is possible to manipulate JavaScript code flow, by controlling the environment in which it runs. Specifically, we managed to return hacker-controlled boolean values to conditional statements, and by that force the application to be vulnerable to an existing DOM-based XSS, which was otherwise unexploitable.

The advisory presented herein, is a real world example of the research mentioned above, and contains two XSS variants. The second of which, makes use of the JavaScript Flow Manipulation technique.

# # #  Begin Advisory # # #

This advisory describes a new security vulnerability found in auto-generated code created by Adobe Flex 3 (Builder & SDK) that uses the default HistoryManager or Deep Linking support. 

Attack Variant #1: DOM Based Cross-Site Scripting

The following text, which describes the HistoryManager and Deep Linking support in Adobe Flex, was taken from the official Adobe documentation:

"The Flex History Manager lets users navigate through a Flex application by using the web browser's back and forward navigation commands. For example, a user can navigate through several Accordion container panes in a Flex application, and then click the browser's Back button to return the application to its previous states.

The HistoryManager class provides a subset of functionality that is provided by the BrowserManager class and deep linking. In general, you should use the BrowserManager class and deep linking for maintaining state in an application and manipulating URLs and browser history, but the HistoryManager class can be useful under some circumstances, such as if you are maintaining a Flex 2.x application. For more information about deep linking and the BrowserManager class, see About deep linking.

History management is implemented as a set of files that are referenced in the application's wrapper. By default, Adobe Flex Builder generates a wrapper that supports history management, but you can disable it. When you deploy an application that uses the HistoryManager, you must also deploy the history management files such as history.css, history.js, and historyFrame.html. These are the same files that are used by the BrowserManager for deep linking support. For more information, see Deploying applications that use deep linking."

The following code was taken from the historyFrame.html:

...

function processUrl() 

 {

            var pos = url.indexOf("?");

            url = pos != -1 ? url.substr(pos + 1) : "";

            if (!parent._ie_firstload) {

                parent.BrowserHistory.setBrowserURL(url);

                try {

                    parent.BrowserHistory.browserURLChange(url);

                } catch(e) { }

            } else {

                parent._ie_firstload = false;

            }

 }

var url = document.location.href;

processUrl();

document.write(url); 

...

As can be seen from the code above, the url variable, holds the document.location.href string, and is later on written to the HTML document. So, in order for the XSS attack to work, the malicious payload should be injected into the URL. Here's an exploit URL:

http://www.some.site/flex_html_wrapper.html#<script>alert(document.cookie)</script>

Note 1: due to how Flex HistoryManager is implemented, the above exploit URL will only work on Microsoft Internet Explorer

Note 2: in the example above, the file /flex_html_wrapper.html is the HTML wrapper file of the Flex SWF

Attack Variant #2: DOM Based XSS Using JavaScript Flow Manipulation

From a quick research into how Flex 3 applications support deep linking ("browser navigation integration"), we have noticed that the attack we described above, will only work if the developer explicitly makes use of either HistoryManager or BrowserManager classes. In such case, the application will use the vulnerable code presented above (i.e. it will load the vulnerable file /history/historyFrame.html into the browser).

This fact limits our attack vector to sites that were designed to actively use history management / deep linking (note: all applications that were compiled with "enable integration with browser navigation" ship with the vulnerable file, but they don't load it into the browser unless the above objects are used in the code).

When we looked at the JavaScript code in /history/historyFrame.html, we saw that calling it directly in order to mount the DOM-based XSS attack (against all Flex 3 sites that include that file) will not work. This is because the JavaScript first calls the function processUrl before performing the vulnerable document.write(url)

The function processUrl, contains the following lines of code:

if (!parent._ie_firstload) { 
     parent.BrowserHistory.setBrowserURL(url);
...

When there is no parent document (or if the parent document does not contain the object _ie_firstload),  the condition inside the parenthesis is evaluated to TRUE. This in turn, causes the line:

parent.BrowserHistory.setBrowserURL(url);

to get executed, resulting in a runtime exception, since no such objects and methods actually exist (there is no parent document). At this point,  the attack will fail.

In order to bypass this obstacle, we have created a (malicious) parent document, which includes an IFrame whose source is the vulnerable HTML page /history/historyFrame.html. In addition, we have added another IFrame (called _ie_firstload), whose role will be explained below.

The malicious HTML page looks like this (line wrapped): 

<!-- HTML source of page, hosted on http://www.evil.site/ -->

<html>

 <body>

  <iframe name="_ie_firstload"></iframe>

  <iframe src="http://www.vuln.site/app/history/historyFrame.html?

#<script>alert('xss')</script>"></iframe>

 </body>

</html>

Upon visiting this malicious page, which is hosted on http://www.evil.site/ the victim's browser issues a request to the vulnerable Flex application that is hosted on http://www.vuln.site/. The request exploits the DOM-based XSS vulnerability that was mentioned in the first section (variant #1).

Here's a quick explanation of the attack:

1. The JavaScript code that is executed in /history/historyFrame.html (see JS code in the previous section), looks at the Boolean value that parent._ie_firstload returns.
2. Since our malicious parent document actually includes a child node with the same name (a bogus IFrame element that we named "_ie_firstload"), the script flow is manipulated. (we do not enter the first block of the IF statement)
3. The JavaScript code that was just manipulated goes ahead to the ELSE statement
4. The function processUrl exits cleanly, and our DOM-based XSS attack succeeds.

Pay attention to #2 - the child IFrame was expecting its parent to return TRUE or FALSE depending on the existence of a JavaScript object (_ie_firstload), but since we controlled the parent's DOM, we have substituted the JavaScript object, with an IFrame. The IFrame's existence in the parent DOM allows us to fool the child IFrame into believing that such object exists.

We have decided to use an IFrame instead of a regular JavaScript object, since the browser's same origin policy will not allow the child IFrame to access JavaScript objects originating from a different domain (www.evil.site). Nevertheless, the browser will allow the child IFrame to traverse the parent's IFrame structure. In our case, the JavaScript code flow manipulation technique was relying on this browser behavior.

To sum things up, all a hacker needs to do in order to exploit this vulnerability, is host a malicious HTML page as shown above, which points to a Flex application that includes the file /history/historyFrame.html.

This file exists by default in all Adobe Flex 3 applications that were created either by Flex 3 Builder or the Flex 3 SDK (regardless if the developer chose to use HistoryManager or BrowserManager)

Impact

First and foremost, this vulnerability is extremely severe, since every Flex web application that is developed using Flex Builder 3 or the Flex 3 SDK (see the next paragraph), includes the file /history/historyFrame.html (this file exists by default), and thus is vulnerable to DOM-based XSS.

In order for the vulnerable files to be included in the Flex application, the developer has to enable "integration with browser navigation". This option is enabled by default, and can be configured from the project properties.

The most severe impact of the vulnerability described in this document is achieving a successful DOM based cross-site scripting attack. If an application is vulnerable to attacks of this type, a remote attacker can execute a malicious script in the context of the victim's browser which can access cookies, session tokens and other sensitive data kept by the browser for the vulnerable web application.

Fix Recommendations:

The following fix recommendations are taken from the Adobe security bulletin:

Adobe recommends all Flex 3 developers who have enabled History Management update applications created with Flex 3 and their Flex 3 product installations with the following instructions:

 

• Flex 3 users (both Flex 3 SDK and Flex Builder 3) should update their product installations with the Flex 3.0.2 SDK update.

 

• Flex 3 users who have enabled History Management in their currently deployed Flex 3 web applications should update all instances of the historyFrame.html file with the updated file. The three instances of historyFrame.html in the Flex 3 SDK installation can be found in the following locations:

{install root}/templates/html-templates/client-side-detection-with-history/history/historyFrame.html

{install root}/templates/html-templates/express-installation-with-history/history/historyFrame.html

{install root}/templates/html-templates/no-player-detection-with-history/history/historyFrame.html

 

Acknowledgements:

• We would like to commend Adobe for their quick response and the efficient way in which they handled this security issue. We wish that other vendors would be as responsible as Adobe for the protection of their customers.
• This research was performed by the following IBM Rational Application Security Group Members: Ory Segal & Adi Sharabani, with the help of Ayal Yogev.
• Special thanks goes to Amit Klein for his technical review and useful comments.

CVE ID: CVE-2008-2640

# # # End Advisory # # #

Hi There,

Just wanted to leave you all a quick note that we haven't forgotten how to blog :-) we've been busy over our heads with migrating things to IBM (called Blue-Washing around here), developing new version of AppScan (as always, we have to stay ahead of the pack), and researching new and interesting security vulnerabilities. In the meantime, here's a quick list of anecdotes to keep you busy -

• OWASP AppSec Europe 2008 is right around the corner. I strongly recommend attending this conference, as it looks like the agenda is packed with great presentations. The conference will take place in Ghent, Belgium, which means that good beer won't be a problem. If you haven't registered yet, I suggest you do so, and prepare to work hard in locating a hotel in the vicinity. Every single hotel is booked solid, and you might need to make some compromises. In addition, I am currently planned to be on the panel at the end of the first day ("The PCI 6.6 dogfight - to Scan or to WAF, this is the question") - I wouldn't miss a chance to voice my opinions
• Adobe Flash/Flex security- we have been researching Flex and Flash security a lot lately as a part of our continuous effort to stay ahead of the technology. RIA security is the next big thing, and the green pastures of security vulnerabilities are awaiting. Rest assured that readers of this blog will be the first to read about our research, and some of it will also be presented at the OWASP AppSec conference in NYC later this year
• IBM Rational Software Development Conference (RSDC) 2008 is coming up (June 1-5, 2008). This year's conference will host a full track on Application Security & Compliance (click to view agenda), and will include some great presentations in our field. I am also going to be there, and will give a session on Web 2.0 security (AS09). In addition, William Shatner is one of the keynote speakers - are you seriously going to miss Captain Kirk talking about software development?
• "Static code analysis is inherently doomed to fail" - at least that's what the author of this blog thinks. Well, I beg to differ, and for every reason mentioned in the above post, there's a reasonable solution or a workaround. In addition, I can't help but say - that's what happens when your scanner GREPs for security vulnerabilities ;-) ouch, don't take it personally...
• Cisco announces their own stab at building a web application firewall (WAF). I guess PCI 6.6. is kicking in :-) oh AppShield, where art thou? seriously now, I'm hearing and reading about WAFs everyday and in every blog - that's simply awesome to see that this market is finally picking up
• Charles is my new best friend. I'm not sure if I've mentioned it before in this blog, but this HTTP Proxy simply kicks ass (and it supports AMF message tampering for those pesky Flash remoting apps). Next to firebug (and of course AppScan), this is probably one of the best tools to have in your arsenal. Check it out
• Off topic - I just finished reading a book called "The Volunteer: The Incredible True Story of an Israeli Spy on the Trail of International Terrorists", while I'm not sure how "true" this story is, I did enjoy the espionage parts of it. I strongly recommend it.

That's all for now, and don't forget -

As the vowels of the English alphabet (A, E, I, O, U) are integral to the English language - both written and oral; so too are certain actions for addressing security in software - both web-based and traditional.

I’m often asked by companies to help document some of the essential actions they can take while attempting to build better, and therefore more secure, software.  Let’s distill this down to five essential actions an organization can implement in order to build more secure software.

Artifact Collection

It is no mistake that artifact collection must be the first vowel in this list.  As has been succinctly stated by others, metrics matter.  You can’t be serious about improving something if you are unable to measure it.  Measurement is required for establishing a baseline, for establishing goals, for calculating improvement and for determining success.

Many organizations are quick to establish artifact collection and measurement in one area of development such as requirements or bug tracking, but forget that this equally applies to more manual processes.  This might include a process artifact such as an architectural risk analysis or a people artifact as to whether a certain developer has attended training.  Regardless of the artifact type, a central repository for the collection, measurement and monitoring of artifacts is essential to building more secure software.

Enablement

The second action to consider is enablement.  Enablement pertains to individuals and should include three core areas: education, resources and tools.

Education of development teams with respect to security has long been considered an essential element to designing, building and deploying secure software.  This education can cover basic security principles, threat classifications, threat modeling, or perhaps cover even more fundamental topics such as essential practices for good software development.  Education enablement should not be a one-time thing.  Establishing a repeatable program that allows for refresher courses, growth and maturity is valuable to developing one of your most important assets in the software development process – the developer.  Valuable progress has been made using bite-sized 15-minute web based training programs (which of course can be measured as an artifact) as an education enablement method.

Why have we entered such an era of unparalleled growth in recent years in the software industry?  I believe it is because of access to resources.  We have been enabled to grow and expand at a previously unparalleled rate due to access to online resources.  Think Google.  Why not enable the developers internally through a similar internal resource library?  By establishing items in the library such as the previously mentioned web-based training, best practices guidelines or certified components, we enable the developer to focus on what they were meant to do – develop software.  We don’t want our developers re-inventing the wheel.  Why would we ask them to re-architect a method for validating an email address?  We can enable them through access to a proven certified component which is stored in a resource library.

Enablement of people and process is also fundamentally addressed through tools.  We all recognize that tools do not build secure software in themselves, nor do they fix the technical and logical issues which they are able to find.  As an example however, they may enable the individual to understand these deficiencies and make intelligent recommendations.  They enable the developer.  By granting access to tools that are able to perform these assessments, we enable the developer to be self-sufficient, reducing time and costs in the software development process.

Incremental Security

I have seen countless security initiatives fail because the ocean simply would not boil.  How many different security threats do you suppose there are?  I don’t have a number for that.  Any given security assessment tool may have hundreds to thousands to tens of thousands of different types of checks.  It simply does not work to attempt to run tools and report on all findings.  The ocean doesn’t boil and people are frustrated.

Incremental security testing is essential for a successful security initiative.  Start with one or two high priority security issues that make sense for your organization.  Secondly, I suggest you look for two commonalities between them: a common root cause and a binary pass/fail automated test that can not be contested.  The benefit of focusing on a common root cause is that the developer does not focus on what happened, but why it happened.  For example, Mitre reports that cross-site scripting (XSS) and SQL injection were the two most commonly reported vulnerabilities in 2006.  Perhaps these are the two issues that you begin with.

Ongoing Security Testing

One of the core successes of the Agile development methodology is that it is both incremental and iterative.  This means that the software is built early and often.  This allows transparency early in the process to where the largest obstacles will occur.  Should a problem arise, a decision can quickly be made as to whether the efforts should be redirected or canceled.  Security testing is no different.  It greatly benefits from ongoing, iterative analysis.  While logical vulnerabilities should be architected out of the software during the inception and elaboration phases, technical vulnerabilities have the tendency to arise due to developer or implementation error.  Remember, security is an emergent property of the software development process.  That is, the vulnerabilities tend to emerge as the application is constructed and can continue to appear in the ongoing maintenance phase.  By performing automated ongoing or iterative security testing, the software benefits from having the technical vulnerabilities discovered and corrected as early as possible.  It is no secret that correcting issues early in the software development lifecycle represents significant savings for the organization.

Unify the Policy

I purposely want to stay away from the term “Unified Process” as I do not want to refer to a specific development framework.  Instead, this last vowel is merely the recognition that a strong unified policy should exist – which may well include a core development framework.  While every large (or small) organization practically has many methodologies or variations of a methodology for developing software, it has been recognized for some time that implementing a unified and consistent process and policy results in better quality software.  While I do not want to go on about the merits of various frameworks such as Waterfall, RUP, XP, or Spiral, it is unquestionable that some level of discipline regarding the unification of the development process is valuable.  A unified policy should include very fundamental concepts such as the defined code framework and certified components that will be used.  Usage of proven, mature frameworks drastically improves the quality of software.  This policy should also define the required feedback loops from internal, external and software sources.  Going further, this policy would define the more manual techniques that are required outside of automation.  Unification of these processes, tools and results are what establishes a more complete and unified policy.

--

Regardless of the actions taken in implementing a strategic software security strategy, or the discussion about what the priority should be, it remains infinitely clear that “something” has to be done.  The statistics are against us.  Perhaps these five action vowels don’t seem to map to your organization.  I won’t argue.  It is sufficient that we open the dialog about these actions.  Me?  The five vowels are easy to remember and I’ve seen these simple steps bring success: Artifact collection, Enablement, Incremental security, Ongoing security testing and a Unifying the policy.

It has been almost ten years since anyone could buy a car without one or more air-bags (at least in the US and Europe). It has been more than twenty years since cars without three-point restraint seat-belt systems were available. Car manufacturers were not happy about all of it at the beginning because it drove costs up and it involved additional research investment.

Public opinion and related industries drove lawmakers to push (and then mandate) technologies such as air-bags, early warning break lights, and anti-lock breaking systems. Aside from the consumers' enjoyment of safer transportation, insurance companies also benefited (financially) from the deal. Today car safety is a burning issue for anyone looking to buy a new car.

Why don't we see public pressure to make our web-sites safer? Why do most people scrutinize their prospective car better then their bank's Internet safety policy? Why do people read about crash-test results in magazine and new-papers motor sections? Why do so many people know what it means that “Somecar SL” made by “MotorMaker Inc.” scored a 5 on the European NCAP tests?

The answer is education: People look at the little lock at the bottom (or top) of their web browser and say "Yey! Safety!" Curiosity might drive some of them to look at the certificate behind the lock, and read about how one important sounding company verified and authenticated and identified the web-site. Web application security is so much more than that.

Jeremiah Grossman wrote about education. I agree that web-developer and web-testers should be made more aware of the dangers inherent to web-applications. But not only them. The users of these applications need to be able to demand safety, except they don't know they need to.

Ever see a crash test dummy thrown through a window? Who hasn't? There isn't a person alive today in the western world that hasn't marveled at the speed an airbag opens, catching, in slow-mo, the dummy's head it slams helplessly towards the steering wheel. It's in commercials, news reports, and MTV videos. It certainly drives the point home. We all want air-bags in our cars. We know why. We know what can happen if we don't. We care about safety features and design of our vehicles in a level that exceeds the knowledge required for normal use.

And to ease our minds, we do not crash cars to test them. We have bodies we trust to do that for us. European standards institutes, independent safety magazines, etc.

What about web-applications?

I have to confess: until three months ago I was a part of the ignorant mass. I clicked on the Locked icon and in knowing self-importance thought: "VeriSign, yes, good. Oh, look, forms and fields! Yes. Very good! This site is secured. It is safe."

I was even clever enough not to press links in emails: always copy-paste them into the browser. You never know what really lurks behind the link's text, certainly not from an unfamiliar source.

But then I came to Watchfire and learned a few things. About the inexcusable ease that a web-application can be hacked, if the right web-app-developer fell asleep on the job.

I saw a live presentation of the Google-desktop hack. I then thought: I don't know anything about UTF-8 or URL encoding. Despite thinking of myself as Internet-clever, I considered the following scenario:

I get an email from a friend, telling me to check out a funny Google-search. I look at the link and despite all the odd ?, %, &, and numbers it looks perfectly normal to me. I copy, and paste it into my browser. I get a host of pictures of nuns riding unicycles.

Now, my friend got the message forwarded from another friend, which came from a brother, which came from a class-mate, who's not really sure who the mail was from, but thought nuns on unicycles are pretty hysterical. This way a chain of trust is established that resulted in me exposing my machine to the whims of a malicious hacker through my beloved Google Desktop application (which is a web-app for all intended purposes).

But it’s not just trust-chains. It’s the promise of fun that makes most people ignore common sense and develop trust toward things that do not warrant the trust. The phenomenon is widely recognized and has been named: The Dancing Pigs Problem. People are easily tempted by dancing pigs. People are easily distracted by shiny, sparkly, exciting things. As remarked by Bruce Schneier, even if the warning is clear and unambiguous, the everyday web-surfer will choose to ignore it with the promise of some enjoyment.

As a community, web-app security needs to tackle the masses. We need a way to drive the point home. People use the Internet and its peripheral services and have no understanding of the technology or the risks involved. People download, share, do business, send and receive, talk, watch, play, read, write, and live virtual lives in a virtual universe. People learn about internal combustion and the hazards of navigating traffic in high school. There are vehicle-safety documentaries by the dozens. The only documentaries about the Internet are about sensational hackers and their crimes. People are angry at attackers, and not about their web-app providers for not protecting them and their data.

As technologists and engineers, we are so used to the Internet technologies. All the ignorance out there does not even occur to us. We need to start with simple examples, not to be afraid to approach the public as children. Remember that we need to start at the beginning. Explain things step by step until a greater understanding prevails.

Once the users become more and more clever, they will start approaching their service providers and ask them: What body governs and approves your site security? Which standards do you hold yourselves to?

The web-application providers will start generating and seeking standards on their own. The security community needs to help bring that change about, and then to be there to work together with the industry to create the safer Internet-world we all need and deserve.

I would like to point out an interesting research done by Thor Larholm, which deals with URL Protocols.

The subject of URL Protocols was actually researched within the Watchfire Security Team recently and we reached different yet complementing findings to those of Thor.

URL Protocol is a mechanism built into different browsers to handle specific URL types with external applications.

For example: the URL: mailto://mail@address.com opens an outlook composer window that is ready to send an e-mail to: mail@address.com.

This actually executes the mail application with specific arguments (parameters). The most interesting thing to note though, is that in Internet Explorer this execution is performed automatically (without user interaction) and can be forced on your browser by the site you browse.

Here are some ideas that Watchfire's Security Team had on the security implications of this feature:

• If one ever had complete control over a remote system and wanted to leave a simple backdoor, he/she could just register a new URL Protocol in the registry (CMD:// for example) that will execute the URL it receives in a CMD prompt.
  
  This can enable an attacker to send shell commands to the victim's computer every time the victim opens a browser and surfs to the attacker's web site.
  
• Of special interest is the callto:// protocol. This protocol is configured to execute the Netmeeting application by default, but it executes Skype instead, if it's installed on your computer. This can be exploited in various ways:
  • The attacker can initiate a call from the remote computer to himself and thereby tap the microphone on the victim's computer.
  • The attacker can initiate many calls on behalf of the victim and thereby waste his/her money.
  • The attacker can initiate a conference call to himself and to a person he/she wants to talk to and the victim will be the only one paying for it.
  In this scenario, the attacker's biggest problem is that the attack pops a Skype window on the victim's desktop. An attacker might be able to reduce this problem using JavaScript to focus the windows of the browser but obviously it is not ideal.

• You can create many automatic links to a specific URL Protocol (for example: mailto://) and by that open many outlook processes, creating a DoS situation that cannot be resolved by closing the browser.
  
• Microsoft Media Player oftentimes suffers from published/known Buffer Overflows. These attacks usually occur because the application has a bug in the way it parses media files. As a rule of thumb, Microsoft suggests that you only use trusted media files. There are several URL Protocols that enable an attacker to make the browser automatically open Microsoft's Media Player with untrusted streams. 

I hope that this research spills more light on the dangers of URL Protocols and emphasizes the dangers of allowing sites to control external application execution through the browser without user interaction.