Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Deblaze - A remote method enumeration tool for ...

Jon Rose
October 10, 2009

Deblaze - A remote method enumeration tool for flex servers

Flash has traditionally been a graphics heavy technology used to create artistic user interfaces that runs on a client's browser. The evolution of Flash was pushed by application developers who wanted to access complex business logic and functionality on remote servers. Through the use of the Flex programming model and the ActionScript language, Flash Remoting was born. Now Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. This talk will describe how Flash remoting works, the technologies that implement it, and the potential security problems related to flash remoting. A proof of concept tool, deblaze, will demonstrate how these remote methods can be attacked. Currently, there are no publically available tools that are able to perform method enumeration and interrogation from a zero knowledge perspective.

Jon Rose

October 10, 2009
Tweet

More Decks by Jon Rose

Other Decks in Technology

Transcript

  1. Copyright Trustwave 2009 Confidential Who am I? Jon Rose • 

    Trustwave’s SpiderLabs •  Washington DC Background •  Network & App Pentesting •  Architecture & Code Review •  SDLC Security •  Training
  2. Copyright Trustwave 2009 Confidential What’s this all about Flash /

    Flex Overview Common Vulns & Attacks Remoting Primer Intro to Deblaze Demos
  3. Copyright Trustwave 2009 Confidential Flash Client-side UI SWF files Requires

    flash player Designers / UI Ads, banners, games Consistent across browsers
  4. Copyright Trustwave 2009 Confidential Flex Designed for programmers MXML for

    UI (compiles into AS) ActionScript code Event-driven J2EE application server
  5. Copyright Trustwave 2009 Confidential ActionScript Scripting language based on ECMAScript

    Tokenized/compiled into bytecode Runs in an Actionscript Virtual Machine (AVM)
  6. Copyright Trustwave 2009 Confidential Flex Timeline Open Source (Dec 2007)

    •  Action Message Format Protocol (AMF) •  BlazeDS Flex 3 (March 2009) •  Open source SDK •  Support for Adobe AIR Flex 1 (March 2004) •  Flex Builder IDE •  Flex Data Services Flex 2 (June 2006) •  SDK free download •  Eclipse integration •  Flex Data Services 2 •  ActionScript 3 *Wikipedia)highlights*)
  7. Copyright Trustwave 2009 Confidential Client-Side Storage Local Shared Object AKA

    Flash Cookies •  .SOL file •  AMF format Cookie Management
  8. Copyright Trustwave 2009 Confidential Debug Functionality Often inadvertently left in

    production code •  “Backdoors” used for testing •  TRACE() statement
  9. Copyright Trustwave 2009 Confidential Cross-Site Scripting (XSS) Authoring tools generate

    XSS SWF files (2008) •  Adobe Dreamweaver •  Adobe Acrobat Connect •  InfoSoft FusionCharts •  Techsmith Camtasia main.swf? baseurl=asfunction:getURL ,javascript:alert(1)//
  10. Copyright Trustwave 2009 Confidential DOM-based XSS Adobe Flex 3.3 SDK

    •  FlexBuilder generates vulnerable wrapper html •  index.template.html file •  Adam Bixby of Gotham Digital Science (CVE-2009-1879) http://FlexApp/Flex/ index.template.html?”/></object><XSS attack string goes here>
  11. Copyright Trustwave 2009 Confidential Flex Data Services Data Management • 

    Update client and/or server when data changes Messaging •  Real Time Messaging protocol (RTMP) •  Pub-sub model •  Real-time data streaming Remoting •  HTTP, SOAP, AMF, RTMP •  Automatic data marshalling PDF •  Create and edit PDF’s
  12. Copyright Trustwave 2009 Confidential AMF Server-Side Components Gateway •  URL

    Destination of AMF server Service •  Refers to Class that implements functionality Method •  Method to be invoked
  13. Copyright Trustwave 2009 Confidential AMF Debug Headers Debug information is

    requested by a header and returned as a body object •  amf_server_debug header Not implemented in •  blazeds •  Red5 •  PyAMF •  Check php! Default services file
  14. Copyright Trustwave 2009 Confidential AMF Version 3 Serialized ActionScript objects

    •  Strongly Typed •  Transported as HTTP POST body in Remoting •  Request/response message same structure •  Remoting envelope can contain several requests Used in: •  Flash Remoting •  ByteArray •  NetStream •  Shared Objects
  15. Copyright Trustwave 2009 Confidential AMF Response onStatus - runtime errors

    onResult - successful calls onDebugEvents - debug information
  16. Copyright Trustwave 2009 Confidential AMF 3 Types undefined-marker = 0x00

    null-marker = 0x01 false-marker = 0x02 true-marker = 0x03 integer-marker = 0x04 double-marker = 0x05 string-marker = 0x06 xml-doc-marker = 0x07 date-marker = 0x08 array-marker = 0x09 object-marker = 0x0A xml-marker = 0x0B byte-array-marker = 0x0C
  17. Copyright Trustwave 2009 Confidential Flex Remoting Insecurity Developers fail to

    restrict access to methods: •  Authentication •  Authorization Method & Service names can be brute-forced Flex servers can be fingerprinted
  18. Copyright Trustwave 2009 Confidential Flex Remoting Insecurity Common vulns in

    remote methods: •  Injections •  Information leakage •  Denial of service •  Privilege escalation
  19. Copyright Trustwave 2009 Confidential Deblaze Overview •  Bruteforce services, methods,

    parameters •  Perform basic parameter fuzzing •  Proxy and decode AMF messages •  Manually call AMF remoting methods
  20. Copyright Trustwave 2009 Confidential Deblaze History Version 0.1 •  Basic

    Method calls Version 0.2 •  Automated decompilation (swfdump) •  HTML Reporting •  Basic Method Parameter Fuzzing •  Full Auto Mode Version 0.3 •  Proxy Mode − GW, Service, Method extraction − Enhanced Fuzzing •  PyAMF version 0.5
  21. Copyright Trustwave 2009 Confidential Deblaze Design Leverage PyAMF library Separate

    thread runs twisted proxy code •  Reactor Pattern Output manager handles display, reporting •  Implemented as a Singleton Next Steps •  Code cleanup, interface refactoring •  Event-driven asynchronous model around Twisted Reactor
  22. Copyright Trustwave 2009 Confidential Finding Remoting Calls Decompile SWF file

    •  swfdump •  Sothink SWF decompiler •  HP SWFScan Regex)for:) Send,)Service,)Remote,)…)
  23. Provides URL's and service names Destination id represents services • 

    securityService •  exampleService •  mathService Remoting ServerConfig.xml
  24. Copyright Trustwave 2009 Confidential Finding Remoting Calls Analyze ServerConfig.xml Regex

    for remoting methods ./swfdump -D BankApp.swf 2>/dev/null | grep "service id” ./swfdump -D BankApp.swf 2>/dev/null | grep "findproperty <q>\[public\]::remObj"
  25. Copyright Trustwave 2009 Confidential AMF Network Traffic Charles proxy can

    intercept and decode AMF traffic Wireshark captures AMF, but no native decoder Burp Pro can be used to capture and decode AMF TwistedMatrix provides generic proxy capabilities
  26. Copyright Trustwave 2009 Confidential AMF Network – Deblaze + Twisted

    Leverage Twisted for proxy functionality Runs on background thread View and modify AMF traffic on the wire
  27. Copyright Trustwave 2009 Confidential Dictionary Attacks Determine valid service and

    methods •  Based on error messages •  Fairly fast •  Easily predictable method/service names − getters − setters •  Possible to build default wordlist
  28. Copyright Trustwave 2009 Confidential Demonstrations Decompile SWF and Regex Remoting

    methods Automatically download and enumerate methods ProxyMode only Bruteforce services and methods Perform automatic download, analysis, fuzzing
  29. Copyright Trustwave 2009 Confidential Securing Flex Remoting BlazeDS •  Only

    public methods defined in remoting-config can be called •  Use security-constraints in remoting-config.xml to each method − include-methods − exclude-methods •  Read the Adobe BlazeDS security docs
  30. Copyright Trustwave 2009 Confidential Securing Flex Remoting AMFPHP •  Methods

    that start with an underscore cannot be remotely called •  Remove the Service Browser and DiscoveryService service •  Disable remote tracing and debugging headers by setting PRODUCTION_SERVER •  Use beforeFilter for authorization controls PYAMF •  Enable authentication on the server
  31. Copyright Trustwave 2009 Confidential Next Steps & Research RTMF • 

    Parse/Edit RTMF •  Audio/Video stream to disk Wireshark Dissector GUI •  Pyjamas •  PyjamasDesktop •  PyGTK
  32. Copyright Trustwave 2009 Confidential Questions In case you need some

    sample questions: •  Does this work on all Flex Servers? •  What about RTMS? •  Will you hack in XYZ’s website? •  Where should we drink beers after your talk? •  Can you review our Flex implementation?