Thursday, October 29, 2009

Exploiting Rich Internet Applications (RIA)

Due to fast adoption of internet technologies like Web 2.0 and their integration with advanced web applications has raised unexpected security challenges. In this article we will review some of these issues related to Adobe Flash product. Flash supports wide range of multimedia features including, rich web application development, video streaming, games and many more. Flash can be deployed within browser or as a system application to run SWF(flash-supported) files. The SWF file consists of 64 tag types, each of which contains its own type, length and value. These can be reviewed in the following picture.
As many of the features are exposed through tags title and tags data. One of such tags is ActionScript. It provides extensible functionality for rich applications. It is mainly based on ECMAScript and when compiled is converted to ActionRecord sub-tags. These sub-tags are then stored into DoAction meta data. A single stream of ActionRecords is terminated by ActionEnd tag. Now, based on the published statistics and product popularity, it is easy to compile the information about how many Flash deployments are openly available throughout the internet under various operating systems and mobile devices (Target Scanning).

-Flash is available for all major OS(s).
-It is installed with default settings.
-ActionScript v2 is supported.

There are several security issues discovered in ActionScript v2 (AS2) in past, which can cause a serious damage to all computers loaded with Flash and connected over the internet. These vulnerabilities can easily be exploited due to improper implementation of flash-based web applications and poses major risk to all internet users. Thus, we introduce two assessment methodologies to test the security of flash applications.


Manual Testing

To understand the testing procedures and dissect the simple flash file in depth, we used Adobe Flash CS3. Inside this tool we got various facilities to audit the flash movie. ActionScript Editor is the one we can use to test several conditions, such as editing the source with first frame set as, getURL("http://www.example.com"); On the other hand, one can also use SweetScape 010 Editor to do the similar testing.


Automated Testing

Fault Injection for Reverse Engineers (FIRE) Framework
-Gathering Input
Get the target flash movie to perform mutation.

-Survey Input
Survey logic will skip textual data regions in the file like XML, HTML, ASCII and mark the binary data such as ActionScripfor fault injection tests.

-Process Instrumentation
FIRE invokes the Browser COM object on start-up and monitor continuously through the debugger. By monitoring the execution of "CreateWindow" and other error conditions it is easy to measure the faults.

-Mutate Input
Fault injection can be performed on batch of file(s) and is mutated with integer overflows 8bit, 16bit, 32bit. Once the fault has been injected, the final event is sent to target application to trigger the tested SWF file.

-Process Monitoring
Whenever one code point is executed, a breakpoint will be hitted and the relevant event will be generated by FIRE to deliver it to the target listener. Some of these events are ModuleLoad Event, FaultDelivered Event, ApplicationFailure Event, ApplicationCriticalFailure Event.

-Bug Analysis
If the FIRE debugger encounter the ApplicationFailure Event or ApplicationCriticalFailure Event, it will record the case by collecting the input stream, thread context and stack trace information that will help us further to investigate the possible bug inside target input file.