|
One thing that's been annoying me for the last couple of days is
CVE-2008-5499, AKA, 'super secret unknown vulnerability in Flash Player
9/10 for Linux'. Dave (of the Aitel
persuasion) wanted to get this stuff into CEU
before the year was over. So I finally sneaked in some time and decided
the research involved makes for swell infotainment. Let's have a look. On December 17, 2008, Adobe put out an update for Flash Player 10 and 9 on zee Linux platform, where 9 received a specific security update in the form of revision 152. This to accommodate people who are unable to upgrade to version 10. Seeing how the revision jump for 9 (151 to 152) is significantly smaller than the one for version 10, I used 9r151 and 9r152 for all diffing goodness and later correlated this analysis to version 10. Putting Patchdiff2 (hooray TOTO_) to work on 9r151 and 9r152, followed by a couple of hours of ctrl-e and alt-f3'ing, exposes two things ... A) HOLY HEADACHY GRAPH BATMAN ... and B) the only significant functionality change in 9r152 involves the removal of a call to system(3). Sorry, come again? If you were born in the 90ies and are unfamiliar with metacharacter vulnerabilities, the problem revolves around being able to place controlling characters into a shell command. For example "ls hi" tries to list a file named "hi", but inserting a metacharacter into this command e.g. "ls ;hi" or "ls `hi`" or "ls | hi" (etc.) would flip the script and try to execute an executable named "hi". This was before you had to sell your soul to Kostya to get a shell on anything cool. Yes? Hooray. So let's fast forward to 2008 and CVE-2008-5499, for which I present to you the following ActionScript: if (_global.ASnative(2201, 1)("airappinstaller")) { _global.ASnative(2201, 2)("airappinstaller", ";touch /tmp/OWNED"); _root.tf.text = "Check /tmp/OWNED :X"; }Now if you don't care about technical details too much, you can stop reading here and take away the following: * Flash 9/10 for Linux had a metacharacter arbitrary command execution bug * It appears only exploitable when you have a helper binary and valid digest installed (which chances are, you don't) * Adobe AIR gets you such a helper binary and digest in the form of "airappinstaller" If you recall, in 2002 (yes I had to google it too don't worry), there was much to do over an undocumented feature in Flash. Exposed only via the ASnative function index. This feature seemed to be the outline for a framework intended to install and launch helper applications supplied by Macromedia and involved the following functions: ASnative(2201, 0) # isRunning()
ASnative(2201, 1) # isInstalled()
ASnative(2201, 2) # launch()
ASnative(2201, 3) # download()
ASnative(2201, 4) # installedVersion()
Since then this API has been fully exposed and documented as the
System.Product object. You can use it to, e.g., install a Flash update
with code that looks like:var product = new _global.System.Product("fpupdateax");
product.download();
product.launch();
Which would theoraadtically download and launch the Flash 10 updater
using the macromedia.com/bin/flashdownload.cgi?product=productname
redirector. Initially this application download/launch mechanism did
not include Macromedia SSL certificate based digest checking, but it
does include such fun these days.If you own a PS3 that point is completely moot, of course. The System.Product functionality is still present in Flash Player anno 2008, in fact, it is used heavily with the advent of Adobe AIR. Why? Well, Adobe AIR uses this very mechanism to install AIR applications through its "airappinstaller" Flash helper binary. Groovy. Let's have a look at the relevant code snippets. First we find the function that handles the 2201 ASnative index in the ASnative reference table (2201 -> 899h). .data.rel.ro:0095A480 ASnative_table dd 65h
.data.rel.ro:0095A484 dd offset sub_19EB50
...
.data.rel.ro:0095A530 dd 899h
.data.rel.ro:0095A534 dd offset ASnative_2201 ; start of path to system
Once we figure out where ASnative(2201, n) lives and how it's called,
we can start following relevant code to carve a path to the patched
call to system(3) (essentially they moved it to a fork/execve construct
in Flash 10).
.text:0024F64C cmp eax, 2 ; 2201, 2
.text:0024F64F nop
.text:0024F650 jz launch_case
...
.text:0024FAE0 launch_case:
...
.text:0024FAF3 call flash9_system
...
.text:004675B0 flash9_system proc near
...
.text:004675F1 call binary_digest_checker
...
.text:00467676 call _system ; \o/ Okay, cool, as you can see ASnative(2201, 2) will take us to the system(3) call that was removed in the security update. Closer analysis, and I'll spare you the boring details, shows that we get to supply arguments to the helper application that is to be launched by system(3) via the ASnative(2201, 2) call with something like ASnative(2201, 2)("theirapp", "myargs"). This in turn allows for metacharacter based arbitrary command appending of the 1992AD variety. Seems straight forward enough! Given the fact that we can get a known/valid application binary and digest in place via the Adobe AIR installer for Linux, let's write some Exploit ActionScript then, shall we? Yes we shall. I used the mtasc ActionScript compiler and so should you. It makes all sorts of fun with Flash easy and quick. This is the part where we grin and laugh in a maniacal fashion for no apparent reason. I mean, hi. The ASnative(2201, 2)("validAdobeApp", ";arbitrary command") will execute arbitrary commands on vulnerable Flash Player 10r12 browsers, on Linux systems that also have Adobe AIR installed. The latter is a prerequisite only because we need a valid helper application installed in the ~/.macromedia/Flash_Player/www.macromedia.com/bin/ folder that we can launch. And yes you did not misread, Flash 10r12, even though I did all the analysis based on version 9 this exploit does not actually work with version 9 because 9r151 lacks some of the digest checking semantics that make things work smoothly. It is still technically vulnerable of course. When AIR is installed the exploit works without user interaction. Cool beans. Other attack scenarios include initiating valid application download()'s and then launch()-ing the vulnerable function ... but I did not find any available Macromedia Linux applications that can be downloaded via the flashdownload.cgi mechanism. Surely someone with more ActionScript experience can dream up something cool. What better way to say bye to 2008 than with a 1992AD metacharacter bug! --~--~---------~--~----~------------~-------~--~----~ 要向邮件组发送邮件,请发到 [email protected] 要退订此邮件,请发邮件至 [email protected] -~----------~----~----~----~------~----~------~--~--- |
