Closed
Bug 979013
(flashbang)
Opened 11 years ago
Closed 2 years ago
Asymmetrical allowDomain allows possible cross-site scripting
Categories
(External Software Affecting Firefox Graveyard :: Flash (Adobe), defect)
External Software Affecting Firefox Graveyard
Flash (Adobe)
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: mwobensmith, Unassigned)
Details
(Keywords: sec-vector)
Attachments
(1 file)
|
58.97 KB,
application/zip
|
Details |
As originally found by Bobby Holley - his sample attached - the use of an asymmetrical permission model with prototype-based inheritance can lead to potential XSS on existing SWFs on the web that load untrusted content, such as ad banners and game SWF loaders.
Conceptually:
- Parent SWF on a.com loads arbitrary SWFs (ads, games) but does NOT call allowDomain.
- Child SWF on b.com is loaded into the SWF on a.com. By design, the SWF on b.com calls allowDomain to allow a.com to script it.
- Parent SWF on a.com calls a function in child SWF on b.com and passes in an object - any object. This could be in order to initialize the child with data, but still in such a way that it does not trust it.
- Now that the child SWF on b.com has an object from a.com, it can access properties on it such as prototype, __proto__, constructor, and by doing so, potentially override class methods/properties all the way up to Object - in the a.com domain.
As a result, the SWF on a.com - which has not allowed any other domains to script it - has been completely owned by the SWF on b.com.
For this to happen in the real world, the following must be present:
- A parent SWF loads arbitrary content from other domains - trusted or untrusted
- The parent must not give permission to script itself via allowDomain
- The parent must call a function exposed in the child SWF and pass in an object
This scenario is plausible and casual exploration of ads on the web have yielded some examples that could potentially be vulnerable under the right conditions. More investigation is needed.
|
||
Updated•11 years ago
|
Alias: flashbang
|
||
Comment 1•11 years ago
|
||
Thanks for the report. This is Adobe 3716363. We're treating it as a responsibly-disclosed issue and will begin investigating shortly. If you have questions or concerns, please feel free to reach out to me directly.
|
||
Updated•11 years ago
|
Keywords: sec-vector
|
||
Comment 2•11 years ago
|
||
This is really interesting. Till reached out to me to discuss the security implications this might have for Shumway.
For claritiy's sake, I want to say this is an unexpected cross-domain capability leak when sending objects into an included (but untrusted) SWF :)
Since it's both a problem with common use cases as well as the implementation, I guess this should be solved with wrappers, mh ;)
|
|
||
Comment 3•11 years ago
|
||
Till, ping me before you get too deep into any Shumway-side planning on this.
|
|
Reporter | |
Comment 4•11 years ago
|
||
FWIW, upon further investigation, I haven't really found any live examples on the web that precisely meet the criteria described in comment 0. Doesn't mean they don't exist; I just haven't found them.
Additionally, it is quite common to see the parent SWFs call allowDomain("*"), which presents an even greater issue than the one presented here.
Still, obviously this informs our decisions on what to implement in Shumway.
|
||
Updated•10 years ago
|
Group: core-security → core-security-release
|
||
Comment 5•9 years ago
|
||
Version and milestone values are being reset to defaults as part of product refactoring.
Version: 11.x → unspecified
|
|
||
Updated•3 years ago
|
Product: External Software Affecting Firefox → External Software Affecting Firefox Graveyard
|
|
||
Comment 6•2 years ago
|
||
flash no longer supported
Group: core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•