Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Fracking Flex

Marcin Wielgoszewski
June 18, 2010
Technology
2
140

Fracking Flex

SummerCon

Marcin Wielgoszewski

June 18, 2010
Tweet

More Decks by Marcin Wielgoszewski

See All by Marcin Wielgoszewski
A Breath of Fresh Burp
marcinw
2
420

Other Decks in Technology

See All in Technology
Deep Neural Networkの共同学習
hf149
0
280
OpenShiftでスポットVMを使おう.pdf
jpishikawa
1
340
OCI DevOps 概要 / OCI DevOps overview
oracle4engineer
PRO
0
490
PCL (Point Cloud Library)の基本となぜ点群処理か_2023年_第2版.pdf
cvmlexpertguide
0
170
re:Inventで発表があったIoT事例の紹介と考察
kizawa2020
0
180
PHPのimmutable arrayとは
hnw
1
160
Oktaの管理者権限を適切に移譲してみた
shimosyan
2
270
AWS re:Invent 2022で発表された新機能を試してみた ~Cloud OperationとSecurity~ / New Cloud Operation and Security Features Announced at AWS reInvent 2022
yuj1osm
1
210
Exploring MapStore Release 2022.02: improved 3DTiles support and more
simboss
PRO
0
370
【NGK2023S】 ノードエディタ形式の画像処理ツール「Image-Processing-Node-Editor」
kazuhitotakahashi
0
290
NGINXENG JP#2 - 3-NGINX Plus・プロダクトのアップデート
hiropo20
0
240
創業1年目のスタートアップでAWSコストを抑えるために取り組んでいること / How to Keep AWS Costs Down at a Startup
yuj1osm
3
2.1k

Featured

See All Featured
A Modern Web Designer's Workflow
chriscoyier
689
180k
Six Lessons from altMBA
skipperchong
15
2.3k
Testing 201, or: Great Expectations
jmmastey
25
5.7k
Build your cross-platform service in a week with App Engine
jlugia
221
17k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
10
1.3k
How To Stay Up To Date on Web Technology
chriscoyier
779
250k
For a Future-Friendly Web
brad_frost
166
7.8k
We Have a Design System, Now What?
morganepeng
37
5.9k
What's in a price? How to price your products and services
michaelherold
233
9.7k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
6
4.5k
Optimizing for Happiness
mojombo
365
64k
Making Projects Easy
brettharned
102
4.8k

Transcript

  1. Fracking Flex SummerC0n 2010 New York, NY Because a Flash

    0day is so hard to come by…

  2. Fracking Flex SummerC0n 2010 New York, NY buf[rn] = "%c"

    % rbyte

  3. Who am I? Marcin Wielgoszewski • Security Engineer • Gotham

    Digital Science

  4. Intro to Flash, Flex and AIR What is Flex and

    how does it differ from Flash? • Flash originally developed for client-side, vector-based animations and video • Flex provides the framework for building RIA’s using the Adobe Flash platform • AIR allows developers to build desktop applications using Adobe Flash

  5. Adobe LiveCycleDS, BlazeDS, et al. Utilize existing application logic with

    Flex • Provides remoting and messaging capabilities • Connects backend data services • Real-time data push to Flash clients

  6. Client / Server Architecture AMFChannel HTTPChannel Client Server

  7. Channels Client talks to a server endpoint over a Channel

    • AMFChannel encapsulates data in AMF • HTTPChannel encapsulates data in AMFX • Streaming and Polling channels • “Secure” channels occur over HTTPS

  8. Endpoints Channels route requests to a defined endpoint • Servlet-based

    – AMF/HTTP • NIO-based – RTMP/AMF/HTTP • Endpoints ultimately route to a destination

  9. Destinations Here is where a request will ultimately end up

    • Could be one of – Remoting service – Proxy service – Message service

  10. Client / Server Architecture AMFChannel HTTPChannel Client Server Destination

  11. Action Message Format Adobe format used for data exchange •

    Used over AMFChannel/AMFEndpoints • Requests are serialized into a compact binary format • Responses are deserialized and processed • 7-10x faster over XML*

  12. Peek into AMF AMF Envelopes contain Request Messages • One

    HTTP request/response may have several AMF requests/responses – RemotingMessage – AsyncMessage / CommandMessage – AcknowledgeMessage / ErrorMessage – HTTPMessage / SOAPMessage

  13. AMF over the wire 0x00000000: 00 03 00 00 00

    01 00 04 6e 75 6c 6c 00 02 2f 31 |........null../1| 0x00000010: 00 00 00 00 0a 00 00 00 01 11 0a 81 13 4f 66 6c |.............Ofl| 0x00000020: 65 78 2e 6d 65 73 73 61 67 69 6e 67 2e 6d 65 73 |ex.messaging.mes| 0x00000030: 73 61 67 65 73 2e 52 65 6d 6f 74 69 6e 67 4d 65 |sages.RemotingMe| 0x00000040: 73 73 61 67 65 09 62 6f 64 79 11 63 6c 69 65 6e |ssage.body.clien| 0x00000050: 74 49 64 17 64 65 73 74 69 6e 61 74 69 6f 6e 0f |tId.destination.| 0x00000060: 68 65 61 64 65 72 73 13 6d 65 73 73 61 67 65 49 |headers.messageI| 0x00000070: 64 13 6f 70 65 72 61 74 69 6f 6e 0d 73 6f 75 72 |d.operation.sour| 0x00000080: 63 65 15 74 69 6d 65 54 6f 4c 69 76 65 13 74 69 |ce.timeToLive.ti| 0x00000090: 6d 65 73 74 61 6d 70 09 01 01 01 06 0f 70 72 6f |mestamp......pro| 0x000000A0: 64 75 63 74 0a 0b 01 09 44 53 49 64 06 49 38 32 |duct....DSId.I82| 0x000000B0: 33 30 44 32 35 31 2d 37 42 31 43 2d 34 44 36 46 |30D251-7B1C-4D6F| 0x000000C0: 2d 39 33 43 45 2d 45 30 30 41 33 41 42 37 37 46 |-93CE-E00A3AB77F| 0x000000D0: 34 41 15 44 53 45 6e 64 70 6f 69 6e 74 06 0d 6d |4A.DSEndpoint..m| 0x000000E0: 79 2d 61 6d 66 01 06 49 45 33 38 39 42 45 45 41 |y-amf..IE389BEEA| 0x000000F0: 2d 46 45 32 45 2d 34 43 37 45 2d 42 31 44 30 2d |-FE2E-4C7E-B1D0-| 0x00000100: 37 33 31 43 46 44 31 30 46 41 36 32 06 17 67 65 |731CFD10FA62..ge| 0x00000110: 74 50 72 6f 64 75 63 74 73 01 01 01 |tProducts... |

  14. Identifying message properties The operation called The destination service The

    endpoint The channel id

  15. AMF RemotingMessage Send RPC’s to remote service methods • Contain

    the following attributes – body – destination – operation – and more…

  16. Flex Remoting Services Send complex data structures to services •

    Data types and object are preserved from client to server • Client side Flash ValueObjects interact with backend POJOs

  17. body is an array of objects • body[0] = string

    • body[1] = java.util.Date • body[2] = java.util.Date • body[3] = array [ – string, string, string ] • body[4] = map { – [string, string, string] } Complex Data Structures

  18. RECONNAISSANCE Fracking Flex Is it time for flip cup yet?!?

  19. Identify Services and Methods Inspect the traffic through an HTTP

    proxy • Burp Suite, WebScarab, Charles, Wireshark • Identify the – Destination service – Operation – Endpoint • How many parameters (and type) are passed?

  20. Decompiling SWFs The beauty of having client-side code • AS

    and MXML is compiled to bytecode • Developers expose all sorts of good stuff – Usernames and passwords – URLs and connection strings – Hidden functionality – and other sensitive data

  21. Decompiling SWFs Common strings to look for in decompiled code

    • RemoteObject | WebService | HTTPService • .destination | .operation | .useProxy • get | set | add | remove | create | delete

  22. Local SharedObjects Persistent “cookies” that reside on filesystem • Often

    used to save UI preferences • Sometimes find cool stuff – Session IDs – User/Role information – Sensitive data

  23. ATTACKING REMOTING SERVICES Fracking Flex

  24. Enumerating Remoting Services Do methods/destinations show a pattern? • Try

    calling other methods that might be there – DeBlaze attempts to enumerate by bruteforce

  25. I got 99 Messages But my HTTP requests’ only one

    • Remember, an AMF Envelope can contain more than one Request • Can we enumerate in just one HTTP request?

  26. DEMO Remoting Services

  27. Significantly reduce bytes sent and time to test • Same

    technique can be applied to fuzzing • For example… 530 separate HTTP requests – 150 bytes of headers – Content-Length: 282 – 1 destination: 1 method – About 3 minutes 1 HTTP request to do it all: – 155 bytes of headers – Content-Length: 148538 – 1 destination: 530 methods – < 3 seconds A Quick Comparison

  28. Custom ValueObjects The server complains about invalid types. WTF? "Cannot

    convert type java.lang.String with value 'marcin' to an instance of class flex.samples.crm.employee.Employee" • The client binds ActionScript ValueObjects to server-side POJO’s • Simply passing a string, boolean or an integer isn’t enough

  29. Reversing a ValueObject Well then, what do we do now?

    • Decompile client-side code • Identify the object’s namespace • Identify the object members that are set • Read the AMF spec and start reversing…

  30. Creating ValueObjects Use PyAMF or similar API to create a

    VO • Define your class and class members • Alias the class with a namespace • Pass object as parameter to method

  31. Crafting VO’s with Python # Below is some Python-fu for

    creating an Object Factory class Factory(object): def __init__(self, *args, **kwargs): self.__dict__.update(kwargs) # Register our object factory with a class alias pyamf.register_class(Factory, "flex.samples.crm.employee.Employee") # Instantiate a "Employee" using our object factory: marcin = Factory(**{'firstName': "Marcin", 'lastName': "Wielgoszewski", 'phone': "555-555-5555", 'email': "[email protected]",})

  32. DEMO Custom ValueObjects No scanner does this, wtf

  33. WE HOP THESE THROUGH PROXIES Fracking Flex So your packet

    log is nothing…

  34. BlazeDS Proxy Services Connect Flex applications to backend services •

    Request resources from another domain • AMF/X wrapped HTTP/SOAP requests

  35. Proxy Service Architecture BlazeDS Client "catalog" Destination

  36. AMF HTTPMessage / SOAPMessage BlazeDS will call a destination on

    client’s behalf • Get around crossdomain policy restrictions • Don’t want to expose internal service publicly • HTTP methods supported – GET, POST, HEAD, OPTIONS, TRACE, DELETE

  37. Pivoting Intranets through BlazeDS Proxy Services have inherent risks •

    Proxy Services often configured insecurely • Expose internal/Intranet apps to world • Culprit? wildcards in proxy-config.xml – <dynamic-url>*</dynamic-url> – <soap>*</soap>

  38. <?xml version="1.0" encoding="UTF-8"?> <service id="proxy-service" class="flex.messaging.services.HTTPProxyService"> ..snip.. <destination id="catalog"> <properties>

    <dynamic-url>*</dynamic-url> </properties> </destination> <destination id="ws-catalog"> <properties> <wsdl>http://livecycledata.org/services/ProductWS?wsdl</wsdl> <soap>*</soap> </properties> <adapter ref="soap-proxy"/> </destination> WEB-INF\flex\proxy-config.xml

  39. Proxy Service Architecture BlazeDS Client "catalog" Destination Target

  40. Blazentoo A tool to exploit Proxy Services • Browse websites

    reachable from server – Hello Intranet applications! • Can also be a crude port scanner – Just specify another port – Connection might get refused, reset or stay open…

  41. DEMO Blazentoo So f*k your firewall trying to hide your

    ports

  42. Some Peculiar Behavior… Destination server response header leakage? • Proxy

    request to http://www.google.com/ HTTP/1.1 200 OK ..snip.. Server: Apache-Coyote/1.1 Set-Cookie: FLEX_1703289594_47_NID=<blah>; Path=/ Server: gws X-XSS-Protection: 1; mode=block

  43. Flex Assessment Methodology Let’s recap: • Passively analyze traffic •

    Decompile SWF and identify stored secrets • Enumerate services, methods & endpoints – Input validation, fuzzing, etc – Check enforcement of AuthN and AuthZ controls • Exploit insecure configurations

  44. Thanks! SummerC0n and everyone else who came • NYSEC crew

    and all who’ve seen this 3x now • My fellow GDS colleagues

  45. QUESTIONS? Marcin Wielgoszewski Gotham Digital Science http://www.gdssecurity.com [email protected]

  46. References References BlazeDS Developer Guide - http://livedocs.adobe.com/blazeds/1/blazeds_devguide/ GDS Security Blog

    - http://www.gdssecurity.com/l/b/ Tools Burp Suite - http://portswigger.net/suite/ Charles Proxy - http://www.charles.com/ DeBlaze - http://deblaze-tool.appspot.com/ Libraries PyAMF - http://www.pyamf.org/ RubyAMF - http://rubyamf.org/ AMF::Perl - http://www.simonf.com/flap/

  47. AMFX Uses an HTTPChannel/HTTPEndpoint • AMF objects are serialized to

    XML • Usually provided as a fallback channel • Different channel == different endpoint – URL for AMFX endpoint will differ from AMF

  48. Message serialized to AMFX <amfx ver="3" xmlns="http://www.macromedia.com/2005/amfx"> <body> <object type="flex.messaging.messages.HTTPMessage">

    <traits> <string>body</string> <string>clientId</string> ..snip.. </object> </body> </amfx>

  49. AMF CommandMessage is used to… send commands! • Mechanism for

    sending commands related to publish/subscribe, ping, cluster operations – Ping – Login / Logout – Subscribe / Unsubscribe – and more..

  50. body is an array of objects • body[0] = string

    • body[1] = java.util.Date • body[2] = java.util.Date • body[3] = array [ – string, string, string ] • body[4] = map { – [string, string, string] } Complex Data Structures Revisited

  51. Complex Data Structures Revisited Check your API’s language type mapping

    • Python datetime = date • Python int/float/long = number • Python list/tuple = array • Python dict = map