Deblaze - A remote method enumeration tool for flex servers

Transcript

1. Deblaze A Flex Remoting Enumeration Toolkit Jon Rose

2. Copyright Trustwave 2009 Confidential Who am I? Jon Rose • 

   Trustwave’s SpiderLabs •  Washington DC Background •  Network & App Pentesting •  Architecture & Code Review •  SDLC Security •  Training

3. Copyright Trustwave 2009 Confidential What’s this all about Flash /

   Flex Overview Common Vulns & Attacks Remoting Primer Intro to Deblaze Demos

4. Copyright Trustwave 2009 Confidential Browser Plugins

5. Copyright Trustwave 2009 Confidential

6. Copyright Trustwave 2009 Confidential Flash Client-side UI SWF files Requires

   flash player Designers / UI Ads, banners, games Consistent across browsers

7. Copyright Trustwave 2009 Confidential Flex Designed for programmers MXML for

   UI (compiles into AS) ActionScript code Event-driven J2EE application server

8. Copyright Trustwave 2009 Confidential ActionScript Scripting language based on ECMAScript

   Tokenized/compiled into bytecode Runs in an Actionscript Virtual Machine (AVM)

9. Copyright Trustwave 2009 Confidential Flex Timeline Open Source (Dec 2007)

   •  Action Message Format Protocol (AMF) •  BlazeDS Flex 3 (March 2009) •  Open source SDK •  Support for Adobe AIR Flex 1 (March 2004) •  Flex Builder IDE •  Flex Data Services Flex 2 (June 2006) •  SDK free download •  Eclipse integration •  Flex Data Services 2 •  ActionScript 3 *Wikipedia)highlights*)

10. Vulnerabilities & Attacks: Flaws vs. Bugs Custom Code vs. Underlying

    Technology

11. Copyright Trustwave 2009 Confidential Client-Side Storage Local Shared Object AKA

    Flash Cookies •  .SOL file •  AMF format Cookie Management

12. Copyright Trustwave 2009 Confidential Debug Functionality Often inadvertently left in

    production code •  “Backdoors” used for testing •  TRACE() statement

13. Copyright Trustwave 2009 Confidential User Supplied Parameters http://site/flash.swf?img=http://trustwave.com/logo.gif

14. Copyright Trustwave 2009 Confidential Cross-Site Scripting (XSS) Authoring tools generate

    XSS SWF files (2008) •  Adobe Dreamweaver •  Adobe Acrobat Connect •  InfoSoft FusionCharts •  Techsmith Camtasia main.swf? baseurl=asfunction:getURL ,javascript:alert(1)//

15. Copyright Trustwave 2009 Confidential DOM-based XSS Adobe Flex 3.3 SDK

    •  FlexBuilder generates vulnerable wrapper html •  index.template.html file •  Adam Bixby of Gotham Digital Science (CVE-2009-1879) http://FlexApp/Flex/ index.template.html?”/></object><XSS attack string goes here>

16. Copyright Trustwave 2009 Confidential Flash Player Vulnerabilities

17. Copyright Trustwave 2009 Confidential ActionScript Heap Spraying Source:)blog.fireeye.com)

18. Flex Data Services

19. Copyright Trustwave 2009 Confidential Flex Data Services Data Management • 

    Update client and/or server when data changes Messaging •  Real Time Messaging protocol (RTMP) •  Pub-sub model •  Real-time data streaming Remoting •  HTTP, SOAP, AMF, RTMP •  Automatic data marshalling PDF •  Create and edit PDF’s

20. Copyright Trustwave 2009 Confidential

21. Copyright Trustwave 2009 Confidential AMF Implementations

22. Copyright Trustwave 2009 Confidential AMF Server-Side Components Gateway •  URL

    Destination of AMF server Service •  Refers to Class that implements functionality Method •  Method to be invoked

23. Copyright Trustwave 2009 Confidential Same Origin Policy

24. Copyright Trustwave 2009 Confidential AMF Debug Headers Debug information is

    requested by a header and returned as a body object •  amf_server_debug header Not implemented in •  blazeds •  Red5 •  PyAMF •  Check php! Default services file

25. Copyright Trustwave 2009 Confidential AMF Version 3 Serialized ActionScript objects

    •  Strongly Typed •  Transported as HTTP POST body in Remoting •  Request/response message same structure •  Remoting envelope can contain several requests Used in: •  Flash Remoting •  ByteArray •  NetStream •  Shared Objects

26. Copyright Trustwave 2009 Confidential AMF Response onStatus - runtime errors

    onResult - successful calls onDebugEvents - debug information

27. Copyright Trustwave 2009 Confidential AMF 3 Types undefined-marker = 0x00

    null-marker = 0x01 false-marker = 0x02 true-marker = 0x03 integer-marker = 0x04 double-marker = 0x05 string-marker = 0x06 xml-doc-marker = 0x07 date-marker = 0x08 array-marker = 0x09 object-marker = 0x0A xml-marker = 0x0B byte-array-marker = 0x0C

28. Copyright Trustwave 2009 Confidential Potential Problems

29. Copyright Trustwave 2009 Confidential Flex Remoting Insecurity Developers fail to

    restrict access to methods: •  Authentication •  Authorization Method & Service names can be brute-forced Flex servers can be fingerprinted

30. Copyright Trustwave 2009 Confidential Flex Remoting Insecurity Common vulns in

    remote methods: •  Injections •  Information leakage •  Denial of service •  Privilege escalation

31. Deblaze

32. Copyright Trustwave 2009 Confidential Deblaze Overview •  Bruteforce services, methods,

    parameters •  Perform basic parameter fuzzing •  Proxy and decode AMF messages •  Manually call AMF remoting methods

33. Copyright Trustwave 2009 Confidential Deblaze History Version 0.1 •  Basic

    Method calls Version 0.2 •  Automated decompilation (swfdump) •  HTML Reporting •  Basic Method Parameter Fuzzing •  Full Auto Mode Version 0.3 •  Proxy Mode − GW, Service, Method extraction − Enhanced Fuzzing •  PyAMF version 0.5

34. Copyright Trustwave 2009 Confidential Deblaze Design Leverage PyAMF library Separate

    thread runs twisted proxy code •  Reactor Pattern Output manager handles display, reporting •  Implemented as a Singleton Next Steps •  Code cleanup, interface refactoring •  Event-driven asynchronous model around Twisted Reactor

35. Copyright Trustwave 2009 Confidential

36. Copyright Trustwave 2009 Confidential

37. Copyright Trustwave 2009 Confidential Attacking Flash Remoting Sun Fire E25K

    HTTP/AMF(

38. Copyright Trustwave 2009 Confidential Attacking Flash Remoting Sun Fire E25K

    HTTP/AMF( Decompile)Client(

39. Copyright Trustwave 2009 Confidential Attacking Flash Remoting Sun Fire E25K

    HTTP/AMF( Sniff(AMF(

40. Copyright Trustwave 2009 Confidential Attacking Flash Remoting Sun Fire E25K

    HTTP/AMF( Bruteforce(

41. Copyright Trustwave 2009 Confidential Attacking Flash Remoting "http://{server.name}:{server.port}/blazeds/ messagebroker/amfpolling Service(

    Method( Parameters(

42. Copyright Trustwave 2009 Confidential Insecure Remoting Example

43. Reverse Engineering SWF Client

44. Copyright Trustwave 2009 Confidential Finding Remoting Calls Decompile SWF file

    •  swfdump •  Sothink SWF decompiler •  HP SWFScan Regex)for:) Send,)Service,)Remote,)…)

45. Copyright Trustwave 2009 Confidential SWF Remoting Search Search for remoting

    methods findstr /I /N /S ”sender\." *.as

46. Provides URL's and service names Destination id represents services • 

    securityService •  exampleService •  mathService Remoting ServerConfig.xml

47. Copyright Trustwave 2009 Confidential Finding Remoting Calls Analyze ServerConfig.xml Regex

    for remoting methods ./swfdump -D BankApp.swf 2>/dev/null | grep "service id” ./swfdump -D BankApp.swf 2>/dev/null | grep "findproperty <q>\[public\]::remObj"

48. Copyright Trustwave 2009 Confidential SoThink

49. Copyright Trustwave 2009 Confidential HP SWFScan

50. Intercepting Network Traffic

51. Copyright Trustwave 2009 Confidential AMF Network Traffic Charles proxy can

    intercept and decode AMF traffic Wireshark captures AMF, but no native decoder Burp Pro can be used to capture and decode AMF TwistedMatrix provides generic proxy capabilities

52. Copyright Trustwave 2009 Confidential AMF Network – Charles Proxy

53. Copyright Trustwave 2009 Confidential AMF Network – Wireshark

54. Copyright Trustwave 2009 Confidential AMF Network – Burp Pro

55. Copyright Trustwave 2009 Confidential AMF Network – Deblaze + Twisted

    Leverage Twisted for proxy functionality Runs on background thread View and modify AMF traffic on the wire

56. Copyright Trustwave 2009 Confidential AMF Network – Proxy Mode

57. Dictionary Attacks

58. Copyright Trustwave 2009 Confidential Dictionary Attacks Determine valid service and

    methods •  Based on error messages •  Fairly fast •  Easily predictable method/service names − getters − setters •  Possible to build default wordlist

59. Demos

60. Copyright Trustwave 2009 Confidential Demonstrations Decompile SWF and Regex Remoting

    methods Automatically download and enumerate methods ProxyMode only Bruteforce services and methods Perform automatic download, analysis, fuzzing

61. Securing Flex Remoting

62. Copyright Trustwave 2009 Confidential Securing Flex Remoting BlazeDS •  Only

    public methods defined in remoting-config can be called •  Use security-constraints in remoting-config.xml to each method − include-methods − exclude-methods •  Read the Adobe BlazeDS security docs

63. Copyright Trustwave 2009 Confidential Securing Flex Remoting AMFPHP •  Methods

    that start with an underscore cannot be remotely called •  Remove the Service Browser and DiscoveryService service •  Disable remote tracing and debugging headers by setting PRODUCTION_SERVER •  Use beforeFilter for authorization controls PYAMF •  Enable authentication on the server

64. Copyright Trustwave 2009 Confidential Future of Flash

65. Copyright Trustwave 2009 Confidential Next Steps & Research RTMF • 

    Parse/Edit RTMF •  Audio/Video stream to disk Wireshark Dissector GUI •  Pyjamas •  PyjamasDesktop •  PyGTK

66. Copyright Trustwave 2009 Confidential Questions In case you need some

    sample questions: •  Does this work on all Flex Servers? •  What about RTMS? •  Will you hack in XYZ’s website? •  Where should we drink beers after your talk? •  Can you review our Flex implementation?

67. Thanks! Latest Code •  deblaze-tool.appspot.com •  Tools.trustwave.com Contributors •  SpiderLabs

    •  Nick Joyce •  Stads9000 •  GDS crew Contact me: •  [email protected] •  [email protected]