Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Fracking Flex

Marcin Wielgoszewski
June 18, 2010
Technology
2
150

Fracking Flex

SummerCon

Marcin Wielgoszewski

June 18, 2010
Tweet

More Decks by Marcin Wielgoszewski

See All by Marcin Wielgoszewski
A Breath of Fresh Burp
marcinw
2
440

Other Decks in Technology

See All in Technology
Legacy Software: Not Really a Problem!
ewolff
2
120
ゲームタイトル開発側と サーバー基盤の連携事例の紹介
colopl
0
140
K8s 上で laravel を 快適に運用する方法
colopl
0
140
Deploy web frontend apps with AWS CDK
tmokmss
1
150
Code Review Challenge: An example of a solution
line_developers
PRO
1
390
【IoT-Tech Meetup #5】IoTとは?WireGuard概要とIoTで通信を守る理由
soracom
PRO
0
220
クラウドサイン事業本部 プロダクト組織 紹介資料
bengo4com
0
220
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
6
4.2k
KubeCon China 2023: Adventures in Platform Building
salaboy
0
140
プロダクトオーナーとしてSLOに向き合う 〜Mackerelチームの事例〜 / SRE NEXT 2023
tatsuru
PRO
0
270
Priorityを制するものはローディングを制す
edwardkenfox
4
330
Case Studies: Modern Development Practices In Highly Regulated Environments
charity
2
1.3k

Featured

See All Featured
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
112
17k
[Brighton Ruby 2023] The Magic of Rails
eileencodes
3
300
Code Review Best Practice
trishagee
53
13k
Debugging Ruby Performance
tmm1
68
11k
Build your cross-platform service in a week with App Engine
jlugia
223
17k
Product Roadmaps are Hard
iamctodd
42
8.8k
Building Effective Engineering Teams - LeadDev
addyosmani
21
970
Git: the NoSQL Database
bkeepers
PRO
420
61k
Side Projects
sachag
450
39k
Design by the Numbers
sachag
272
18k
Art, The Web, and Tiny UX
lynnandtonic
285
18k
Rails Girls Zürich Keynote
gr2m
90
12k

Transcript

  1. Fracking Flex
    SummerC0n 2010
    New York, NY
    Because a Flash 0day is so hard to come by…

    View Slide

  2. Fracking Flex
    SummerC0n 2010
    New York, NY
    buf[rn] = "%c" % rbyte

    View Slide

  3. Who am I?
    Marcin Wielgoszewski
    • Security Engineer
    • Gotham Digital Science

    View Slide

  4. Intro to Flash, Flex and AIR
    What is Flex and how does it differ from Flash?
    • Flash originally developed for client-side,
    vector-based animations and video
    • Flex provides the framework for building RIA’s
    using the Adobe Flash platform
    • AIR allows developers to build desktop
    applications using Adobe Flash

    View Slide

  5. Adobe LiveCycleDS, BlazeDS, et al.
    Utilize existing application logic with Flex
    • Provides remoting and messaging capabilities
    • Connects backend data services
    • Real-time data push to Flash clients

    View Slide

  6. Client / Server Architecture
    AMFChannel
    HTTPChannel
    Client Server

    View Slide

  7. Channels
    Client talks to a server endpoint over a Channel
    • AMFChannel encapsulates data in AMF
    • HTTPChannel encapsulates data in AMFX
    • Streaming and Polling channels
    • “Secure” channels occur over HTTPS

    View Slide

  8. Endpoints
    Channels route requests to a defined endpoint
    • Servlet-based – AMF/HTTP
    • NIO-based – RTMP/AMF/HTTP
    • Endpoints ultimately route to a destination

    View Slide

  9. Destinations
    Here is where a request will ultimately end up
    • Could be one of
    – Remoting service
    – Proxy service
    – Message service

    View Slide

  10. Client / Server Architecture
    AMFChannel
    HTTPChannel
    Client Server Destination

    View Slide

  11. Action Message Format
    Adobe format used for data exchange
    • Used over AMFChannel/AMFEndpoints
    • Requests are serialized into a compact binary
    format
    • Responses are deserialized and processed
    • 7-10x faster over XML*

    View Slide

  12. Peek into AMF
    AMF Envelopes contain Request Messages
    • One HTTP request/response may have several
    AMF requests/responses
    – RemotingMessage
    – AsyncMessage / CommandMessage
    – AcknowledgeMessage / ErrorMessage
    – HTTPMessage / SOAPMessage

    View Slide

  13. AMF over the wire
    0x00000000: 00 03 00 00 00 01 00 04 6e 75 6c 6c 00 02 2f 31 |........null../1|
    0x00000010: 00 00 00 00 0a 00 00 00 01 11 0a 81 13 4f 66 6c |.............Ofl|
    0x00000020: 65 78 2e 6d 65 73 73 61 67 69 6e 67 2e 6d 65 73 |ex.messaging.mes|
    0x00000030: 73 61 67 65 73 2e 52 65 6d 6f 74 69 6e 67 4d 65 |sages.RemotingMe|
    0x00000040: 73 73 61 67 65 09 62 6f 64 79 11 63 6c 69 65 6e |ssage.body.clien|
    0x00000050: 74 49 64 17 64 65 73 74 69 6e 61 74 69 6f 6e 0f |tId.destination.|
    0x00000060: 68 65 61 64 65 72 73 13 6d 65 73 73 61 67 65 49 |headers.messageI|
    0x00000070: 64 13 6f 70 65 72 61 74 69 6f 6e 0d 73 6f 75 72 |d.operation.sour|
    0x00000080: 63 65 15 74 69 6d 65 54 6f 4c 69 76 65 13 74 69 |ce.timeToLive.ti|
    0x00000090: 6d 65 73 74 61 6d 70 09 01 01 01 06 0f 70 72 6f |mestamp......pro|
    0x000000A0: 64 75 63 74 0a 0b 01 09 44 53 49 64 06 49 38 32 |duct....DSId.I82|
    0x000000B0: 33 30 44 32 35 31 2d 37 42 31 43 2d 34 44 36 46 |30D251-7B1C-4D6F|
    0x000000C0: 2d 39 33 43 45 2d 45 30 30 41 33 41 42 37 37 46 |-93CE-E00A3AB77F|
    0x000000D0: 34 41 15 44 53 45 6e 64 70 6f 69 6e 74 06 0d 6d |4A.DSEndpoint..m|
    0x000000E0: 79 2d 61 6d 66 01 06 49 45 33 38 39 42 45 45 41 |y-amf..IE389BEEA|
    0x000000F0: 2d 46 45 32 45 2d 34 43 37 45 2d 42 31 44 30 2d |-FE2E-4C7E-B1D0-|
    0x00000100: 37 33 31 43 46 44 31 30 46 41 36 32 06 17 67 65 |731CFD10FA62..ge|
    0x00000110: 74 50 72 6f 64 75 63 74 73 01 01 01 |tProducts... |

    View Slide

  14. Identifying message properties
    The operation called
    The destination service
    The endpoint
    The channel id

    View Slide

  15. AMF RemotingMessage
    Send RPC’s to remote service methods
    • Contain the following attributes
    – body
    – destination
    – operation
    – and more…

    View Slide

  16. Flex Remoting Services
    Send complex data structures to services
    • Data types and object are preserved from
    client to server
    • Client side Flash ValueObjects interact with
    backend POJOs

    View Slide

  17. body is an array of objects
    • body[0] = string
    • body[1] = java.util.Date
    • body[2] = java.util.Date
    • body[3] = array [
    – string, string, string ]
    • body[4] = map {
    – [string, string, string] }
    Complex Data Structures

    View Slide

  18. RECONNAISSANCE
    Fracking Flex
    Is it time for flip cup yet?!?

    View Slide

  19. Identify Services and Methods
    Inspect the traffic through an HTTP proxy
    • Burp Suite, WebScarab, Charles, Wireshark
    • Identify the
    – Destination service
    – Operation
    – Endpoint
    • How many parameters (and type) are passed?

    View Slide

  20. Decompiling SWFs
    The beauty of having client-side code
    • AS and MXML is compiled to bytecode
    • Developers expose all sorts of good stuff
    – Usernames and passwords
    – URLs and connection strings
    – Hidden functionality
    – and other sensitive data

    View Slide

  21. Decompiling SWFs
    Common strings to look for in decompiled code
    • RemoteObject | WebService | HTTPService
    • .destination | .operation | .useProxy
    • get | set | add | remove | create | delete

    View Slide

  22. Local SharedObjects
    Persistent “cookies” that reside on filesystem
    • Often used to save UI preferences
    • Sometimes find cool stuff
    – Session IDs
    – User/Role information
    – Sensitive data

    View Slide

  23. ATTACKING REMOTING SERVICES
    Fracking Flex

    View Slide

  24. Enumerating Remoting Services
    Do methods/destinations show a pattern?
    • Try calling other methods that might be there
    – DeBlaze attempts to enumerate by bruteforce

    View Slide

  25. I got 99 Messages
    But my HTTP requests’ only one
    • Remember, an AMF Envelope can contain
    more than one Request
    • Can we enumerate in just one HTTP request?

    View Slide

  26. DEMO
    Remoting Services

    View Slide

  27. Significantly reduce bytes sent and time to test
    • Same technique can be applied to fuzzing
    • For example…
    530 separate HTTP requests
    – 150 bytes of headers
    – Content-Length: 282
    – 1 destination: 1 method
    – About 3 minutes
    1 HTTP request to do it all:
    – 155 bytes of headers
    – Content-Length: 148538
    – 1 destination: 530 methods
    – < 3 seconds
    A Quick Comparison

    View Slide

  28. Custom ValueObjects
    The server complains about invalid types. WTF?
    "Cannot convert type java.lang.String with value 'marcin' to
    an instance of class flex.samples.crm.employee.Employee"
    • The client binds ActionScript ValueObjects to
    server-side POJO’s
    • Simply passing a string, boolean or an integer
    isn’t enough

    View Slide

  29. Reversing a ValueObject
    Well then, what do we do now?
    • Decompile client-side code
    • Identify the object’s namespace
    • Identify the object members that are set
    • Read the AMF spec and start reversing…

    View Slide

  30. Creating ValueObjects
    Use PyAMF or similar API to create a VO
    • Define your class and class members
    • Alias the class with a namespace
    • Pass object as parameter to method

    View Slide

  31. Crafting VO’s with Python
    # Below is some Python-fu for creating an Object Factory
    class Factory(object):
    def __init__(self, *args, **kwargs):
    self.__dict__.update(kwargs)
    # Register our object factory with a class alias
    pyamf.register_class(Factory, "flex.samples.crm.employee.Employee")
    # Instantiate a "Employee" using our object factory:
    marcin = Factory(**{'firstName': "Marcin",
    'lastName': "Wielgoszewski",
    'phone': "555-555-5555",
    'email': "[email protected]",})

    View Slide

  32. DEMO
    Custom ValueObjects
    No scanner does this, wtf

    View Slide

  33. WE HOP THESE THROUGH PROXIES
    Fracking Flex
    So your packet log is nothing…

    View Slide

  34. BlazeDS Proxy Services
    Connect Flex applications to backend services
    • Request resources from another domain
    • AMF/X wrapped HTTP/SOAP requests

    View Slide

  35. Proxy Service Architecture
    BlazeDS
    Client
    "catalog"
    Destination

    View Slide

  36. AMF HTTPMessage / SOAPMessage
    BlazeDS will call a destination on client’s behalf
    • Get around crossdomain policy restrictions
    • Don’t want to expose internal service publicly
    • HTTP methods supported
    – GET, POST, HEAD, OPTIONS, TRACE, DELETE

    View Slide

  37. Pivoting Intranets through BlazeDS
    Proxy Services have inherent risks
    • Proxy Services often configured insecurely
    • Expose internal/Intranet apps to world
    • Culprit? wildcards in proxy-config.xml
    – *
    – *

    View Slide



  38. ..snip..


    *




    http://livecycledata.org/services/ProductWS?wsdl
    *



    WEB-INF\flex\proxy-config.xml

    View Slide

  39. Proxy Service Architecture
    BlazeDS
    Client
    "catalog"
    Destination
    Target

    View Slide

  40. Blazentoo
    A tool to exploit Proxy Services
    • Browse websites reachable from server
    – Hello Intranet applications!
    • Can also be a crude port scanner
    – Just specify another port
    – Connection might get refused, reset or stay open…

    View Slide

  41. DEMO
    Blazentoo
    So f*k your firewall trying to hide your ports

    View Slide

  42. Some Peculiar Behavior…
    Destination server response header leakage?
    • Proxy request to http://www.google.com/
    HTTP/1.1 200 OK
    ..snip..
    Server: Apache-Coyote/1.1
    Set-Cookie: FLEX_1703289594_47_NID=; Path=/
    Server: gws
    X-XSS-Protection: 1; mode=block

    View Slide

  43. Flex Assessment Methodology
    Let’s recap:
    • Passively analyze traffic
    • Decompile SWF and identify stored secrets
    • Enumerate services, methods & endpoints
    – Input validation, fuzzing, etc
    – Check enforcement of AuthN and AuthZ controls
    • Exploit insecure configurations

    View Slide

  44. Thanks!
    SummerC0n and everyone else who came
    • NYSEC crew and all who’ve seen this 3x now
    • My fellow GDS colleagues

    View Slide

  45. QUESTIONS?
    Marcin Wielgoszewski
    Gotham Digital Science
    http://www.gdssecurity.com
    [email protected]

    View Slide

  46. References
    References
    BlazeDS Developer Guide - http://livedocs.adobe.com/blazeds/1/blazeds_devguide/
    GDS Security Blog - http://www.gdssecurity.com/l/b/
    Tools
    Burp Suite - http://portswigger.net/suite/
    Charles Proxy - http://www.charles.com/
    DeBlaze - http://deblaze-tool.appspot.com/
    Libraries
    PyAMF - http://www.pyamf.org/
    RubyAMF - http://rubyamf.org/
    AMF::Perl - http://www.simonf.com/flap/

    View Slide

  47. AMFX
    Uses an HTTPChannel/HTTPEndpoint
    • AMF objects are serialized to XML
    • Usually provided as a fallback channel
    • Different channel == different endpoint
    – URL for AMFX endpoint will differ from AMF

    View Slide

  48. Message serialized to AMFX
    xmlns="http://www.macromedia.com/2005/amfx">



    body
    clientId
    ..snip..



    View Slide

  49. AMF CommandMessage
    is used to… send commands!
    • Mechanism for sending commands related to
    publish/subscribe, ping, cluster operations
    – Ping
    – Login / Logout
    – Subscribe / Unsubscribe
    – and more..

    View Slide

  50. body is an array of objects
    • body[0] = string
    • body[1] = java.util.Date
    • body[2] = java.util.Date
    • body[3] = array [
    – string, string, string ]
    • body[4] = map {
    – [string, string, string] }
    Complex Data Structures Revisited

    View Slide

  51. Complex Data Structures Revisited
    Check your API’s language type mapping
    • Python datetime = date
    • Python int/float/long = number
    • Python list/tuple = array
    • Python dict = map

    View Slide