Comments on: Backdooring Flash Objects (the receipt)

By: Sploiter Splog | GNUCITIZEN

Sploiter Splog | GNUCITIZEN — Sun, 01 Jul 2007 08:28:35 +0000

[...] the techniques such as persistent channels, backdoors in QuickTime, backdoors in Flash, backdoors in PDF, backdoors in RealMedia and backdoors in RSS feeds in conjunction with splogs one [...]

By: GNUCITIZEN » Backdooring Images

GNUCITIZEN » Backdooring Images — Fri, 16 Feb 2007 21:56:35 +0000

[...] OK, weï¿½ve covered how to backdoor Flash, QuickTime, QuickTime Link, PDF and simple HTML files, but we havenï¿½t discussed how to backdoor images yet. In this post I am going to outline some of the techniques available for maliciously infecting Image (Picture) files with JavaScript code. I must worn you that what you are about to read is not intended to describe new issues but rather to clarify and provide scenarios where the discussed attack vectors can be implemented. [...]

By: GNUCITIZEN » DANGER, DANGER, DANGER

GNUCITIZEN » DANGER, DANGER, DANGER — Wed, 03 Jan 2007 09:04:45 +0000

[...] The WEB has gone crazy. I know that this is not news for some of you but you will be surprised to what extend this craziness has just developed. It seams that the entire WEB is falling apart and someone has to do something otherwise we risk to lose too much. Among the traditional QuickTime Movie, QTL, Flash, Image, HTML and PDF backdoors, there is another one trivially achievable with high degree of impact. [...]

By: Frank Walsh

Frank Walsh — Mon, 04 Dec 2006 00:06:37 +0000

above you say allowscriptaccess=”never” kills your POC but javascript isn’t nessecary , you can do with with purse ActionScript…isn’t there also a tag allowNetworking=”internal” would cover this… just wondering if I’m missing something in your response..not trying to be a dick.

By: pdp

pdp — Fri, 29 Sep 2006 06:53:40 +0000

Have you actually spend time going through AttackAPI?

Or, Is it fine with you if attackers are able to break into a couple of websites from your own browser, or maybe compromise your home router?

If yes, than I agree, primitive javascript access shouldn’t harm you at all.

:) cheers

By: chown

chown — Fri, 29 Sep 2006 04:34:23 +0000

Primitive javascript access - within the confines of the browsers security restrictions, can hardly be classified as “system resources”. If it were, then you could say you have access to the “system resources” of me, and anyone else who visits this site.
By your logic, the following is a VBScript backdoor in a batch file

@echo off
echo msgbox "foo" > bar.vbs
start bar.vbs

By: pdp

pdp — Thu, 28 Sep 2006 02:00:42 +0000

shizkani,
the short answer is “NO”, unless you use something like the IE VML vulnerability.

chown,

A type of Remote Control Software that enables a third party to covertly control system resources.wetstonetech

What do you think a backdoor is?

By: chown

chown — Wed, 27 Sep 2006 04:19:03 +0000

How can you call it backdooring? You’re simply embedding javascript in flash.
Please explain your definition of ‘backdoor’

By: shizkani

shizkani — Tue, 26 Sep 2006 23:52:00 +0000

can you make this exploit download and execute a RAT server to someine who views the corrupted .swf file ..??
if so can someone please explain to me how i would make it possible..
thanks..

By: pdp

pdp — Fri, 15 Sep 2006 15:51:11 +0000

I know. This article is just a POC on how easy it is to backdoor any given flash object.

By: Vladislav 'dgtlscrm' Mysla

Vladislav 'dgtlscrm' Mysla — Fri, 15 Sep 2006 13:59:44 +0000

Using javascript protocol is well known technique

By: pdp

pdp — Fri, 08 Sep 2006 07:25:54 +0000

Definitely,

I would like to see your malware. I won’t be able to attend these conferences but I will be vary happy to get some of your slides.

I am also working on some advance techniques that will go into AttackAPI and my blog quite soon.

By: Acidus

Acidus — Fri, 08 Sep 2006 02:50:42 +0000

pdp,

I love what you are doing so please keep up the good work. For far too long people have thought that JavaScript is a toy language and that XSS can only annoy and steal the occasional cookie. I applaud the work you have been doing.

Acidus,

ps: I’m going to be dropping some JavaScript malware 0day in a week of back to back conferences (Toorcon-Ajax World-Security Opus) that I thhink you will find interesting…

By: pdp

pdp — Wed, 06 Sep 2006 20:51:45 +0000

Well, then my POC won’t work. It is that simple. However, keep in mind that JavaScript access is not required. Flash objects can be backdoored with ActionScript quite successfully and the attacker is given the same level accessibility; sometimes even more.

By: dev>null

dev>null — Wed, 06 Sep 2006 17:15:29 +0000

um … what about allowScriptAccess=”never”?

By: pdp

pdp — Wed, 06 Sep 2006 07:02:12 +0000

There are no stupid questions.

I don’t think that there is simple way of protecting against media file malware. Of course the most obvious approach will be to disable or filter out embed an object tags. However, this will make MySpace pages highly inaccessible because people won’t be able to show their YouTube movies for example.

Yeh, I might think about favicon. Why not?

By: nrg

nrg — Wed, 06 Sep 2006 01:05:22 +0000

“First of all, wrapping your malicious code inside flash files will bypass all XSS filtering systems (…)”

Hadn’t thought about that.
It’s clear for me now, thanks for the fast explanation. Actually after thinking a bit about it was a really dumb question.

So how can websites like myspace protect them selfs from being hijacked by an ‘infected’ swf? (i’m not a user from my space but i think they allow the use of SWFs in users accounts).

Time to read how you managed to do it with quicktime.

PS: Stupid suggestion, can you get a favicon? I would like to have it on my bookmark.

By: pdp

pdp — Wed, 06 Sep 2006 00:42:16 +0000

hi there,

First of all, wrapping your malicious code inside flash files will bypass all XSS filtering systems, simply becouse they don’t understand how to read SWF files not to mention that even if they know how to do that, it would be highly inefficient approach.

The second thing is that attackers are able to infect popular video, audio and interactive material and spread it on the web. This approach can be quite easily defined as viral infection. The next time you visit youtube.com or video.google.com beware that what you see might not be what you get. Sneeky JavaScript code can scan your internal LAN, hack into your WIFI router and enable the admin interface on the Internet side so attackers have direct access to you, your personal details and your bank account numbers.

I don’t want to cover DDOS attacks because it is getting scary.

I hope it is clear now :)

By: nrg

nrg — Tue, 05 Sep 2006 23:10:55 +0000

Hello mate, i enjoyed vey much reading your recent posts, but there is something in these last 2 that i didn’t really understood. Whats so important about injecting javascript into a flash? can’t you do the same that you would with a simple html with javascript inside? I get the idea about infecting SWFs wich is preaty cool but i don’t see what’s so special about it. Am I missing something?

Anyway keep posting mate :)

-nrg