Deblaze - A Remote Method Enumeration Tool for Flex Servers, Defcon

Transcript

1. DEBLAZE' A"remote"method"enumeration"tool"for"flex"servers"

2. Who$am$I?$ !  Jon"Rose" "  Working"at"Trustwave’s" SpiderLabs" "  Founder"and"former" Pres"OWASP"Phoenix" Chapter"

   !  Background" "  Network"&"App" Pentesting" "  Architecture"&"Code" Review" "  SDLC"Security" ""

3. Flash$and$Flex$ !  Flash"Apps:" "  ClientKside"UI" "  SWF"files"(can"be"decompiled)" "  Requires"flash"player" " 

   Built"by"designers"/"UI"ppl" "  Web"ads,"banners,"games" "  Consistent"across"en"browsers" !  Flex:" "  Designed"for"programmers" "  MXML"for"UI"(compiles"into"AS)" "  ActionScript"for"code" "  J2EE"application"server""

4. !  Flex"1""(March"2004)" "  Flex"Builder"IDE" "  Flex"Data"Services" "  Expensive"license" !  Flex"2"(June"2006)"

   "  SDK"free"download" "  Flex"builder"not"required" "  Eclipse"integration" "  Flex"Data"Services"2" "  ActionScript"3" "  Requires"Flash"Player"9" !  Open"Source"(Dec"2007)" "  Action"Message"Format"" Protocol"(AMF)" "  BlazeDS"$ !  Flex"3"(March"2009)" "  Open"source"SDK" "  Support"for"Adobe"AIR" (desktop"app"runtime)" *Wikipedia"highlights*" Flex$Timeline$

5. Flex$Data$Services$ !  Data"Management" "  Update"client"and/or"server"when"data"changes" !  Messaging"" "  Real"Time"Messaging"protocol"(RTMP)" " 

   PubKsub"model" "  RealKtime"data""streaming" !  Remoting" "  HTTP,"SOAP,"AMF" "  Automatic""data"marshalling" !  PDF" "  Create"and"edit"PDF’s"

6. Flash$Remoting$Technologies$

7. None

8. CrossDomain.xml$

9. Potential$Problems$

10. Flash$Remoting$Insecurity$ !  Developers"fail"to"restrict"access"to"methods:" "  Authentication"" "  Authorization" !  Method"&"Service"names"can"be"bruteKforced" ! 

    Flex"servers"can"be"fingerprinted" !  Common"vulns"in"remote"methods:" "  Injections" "  Information"leakage" "  Denial"of"service" "  Privilege"escalation" "

11. Finding$Methods$&$Services$ !  Decompile"SWF"and"search"for"remoting"calls" !  Watch"network"traffic" !  Dictionary"attack"against"server"

12. Finding$SWF$Remoting$Calls$ !  Download"SWF"file" !  Decompile"" "  Sothink"SWF"decompiler"or"HP"SWFScan" !  Analyze"ServerConfig.xml" ! 

    Regex"for"remoting"methods"

13. !  Often"embedded"in"the" SWF" !  Provide"URL's"and" service"names" !  Destination"id" represents"services" " 

    securityService" "  exampleService" "  mathService" SWF$Remoting$ServerConfig.xml$

14. SWF$Remoting$Search$ !  Search"for"remoting"methods" "  send,"service,"remote,"etc" findstr"/I"/N"/S"”sender\.""*.as"

15. AMF$Network$Traffic$ !  AMF"is:" "  Serialized"ActionScript"object" "  Transported"as"HTTP"POST"body" !  Charles"proxy"can"intercept"and"decode"AMF" traffic"

    !  Wireshark"captures"can"disclose"Url's,"Services," and"Methods" "  No"native"decoder"

16. AMF$Network$–$Charles$Proxy$

17. AMF$Network$–$Wireshark$

18. Dictionary$Attacks$ !  Determine"valid"service"and"methods" "  Based"on"error"messages" "  Fairly"fast" "  Easily"predictable"method/service"names" ! 

    Login" !  getters" !  setters" "  Possible"to"build"default"wordlist"
19. None

20. Securing$Flash$Remoting$ !  BlazeDS" "  Only"public"methods"defined"in"remotingKconfig"can" be"called" "  Use"securityKconstraints"in"remotingKconfig.xml"to" each"method" ! 

    includeKmethods"" !  excludeKmethods"" "  Read"the"Adobe"BlazeDS"security"docs"

21. Securing$Flash$Remoting$ !  AMFPHP" "  Methods"that"start"with"an"underscore"cannot"be" remotely"called" "  Remove"the"Service"Browser"and"DiscoveryService" service" " 

    Disable"remote"tracing"and"debugging"headers"by" setting"PRODUCTION_SERVER" "  Use"beforeFilter"for"authorization"controls" !  PYAMF" "  Enable"authentication"on"the"server"

22. Questions$&$Comments$ !  Next"Steps" !  Future"Research" !  Latest"Code"" "  "deblazeK tool.appspot.com"

    !  Thanks" "  Spiderlabs" "  Nick"Joyce" "  Stads9000" "  GDS"crew" !  Contact"me:" "  [email protected]" "  [email protected]"