Comments on: Backdooring Flash Objects (the receipt)

By: Persistent Bi-directional Communication Channels | GNUCITIZEN

Persistent Bi-directional Communication Channels | GNUCITIZEN — Mon, 09 May 2011 09:22:53 +0000

[...] via Cross-site Request Forgery and social engineering but also by altering media content such as Flash, Music and Video formats. More over this can be now done from the browser if data URLs are [...]

By: karcoos

karcoos — Tue, 22 Feb 2011 08:48:27 +0000

nice blog, I love the “swftools” you recommended.

By: Operation n » Malware Security Testing

Operation n » Malware Security Testing — Thu, 08 Jan 2009 23:02:49 +0000

[...] pdp (arcitect) have recently found or reported serious malware potential in Quicktime, MP3, PDF, Flash and RSS to name a [...]

By: Google Search API Worms | GNUCITIZEN

Google Search API Worms | GNUCITIZEN — Thu, 01 Jan 2009 19:51:11 +0000

[...] AJAX Search API can use some sort of semi persistent method with dynamically generated MOV, MP3 or SWF objects through the method I discussed [...]

By: Sploiter Splog | GNUCITIZEN

Sploiter Splog | GNUCITIZEN — Sun, 01 Jul 2007 08:28:35 +0000

[...] the techniques such as persistent channels, backdoors in QuickTime, backdoors in Flash, backdoors in PDF, backdoors in RealMedia and backdoors in RSS feeds in conjunction with splogs one [...]

By: GNUCITIZEN Â» Backdooring Images

GNUCITIZEN Â» Backdooring Images — Fri, 16 Feb 2007 22:56:35 +0000

[...] OK, we’ve covered how to backdoor Flash, QuickTime, QuickTime Link, PDF and simple HTML files, but we haven’t discussed how to backdoor images yet. In this post I am going to outline some of the techniques available for maliciously infecting Image (Picture) files with JavaScript code. I must worn you that what you are about to read is not intended to describe new issues but rather to clarify and provide scenarios where the discussed attack vectors can be implemented. [...]

By: GNUCITIZEN » DANGER, DANGER, DANGER

GNUCITIZEN » DANGER, DANGER, DANGER — Wed, 03 Jan 2007 09:04:45 +0000

[...] The WEB has gone crazy. I know that this is not news for some of you but you will be surprised to what extend this craziness has just developed. It seams that the entire WEB is falling apart and someone has to do something otherwise we risk to lose too much. Among the traditional QuickTime Movie, QTL, Flash, Image, HTML and PDF backdoors, there is another one trivially achievable with high degree of impact. [...]

By: Frank Walsh

Frank Walsh — Mon, 04 Dec 2006 00:06:37 +0000

above you say allowscriptaccess=”never” kills your POC but javascript isn’t nessecary , you can do with with purse ActionScript…isn’t there also a tag allowNetworking=”internal” would cover this… just wondering if I’m missing something in your response..not trying to be a dick.

By: chown

chown — Fri, 29 Sep 2006 04:34:23 +0000

Primitive javascript access - within the confines of the browsers security restrictions, can hardly be classified as "system resources". If it were, then you could say you have access to the "system resources" of me, and anyone else who visits this site. By your logic, the following is a VBScript backdoor in a batch file

@echo off
echo msgbox "foo" > bar.vbs
start bar.vbs

By: pdp

pdp — Thu, 28 Sep 2006 02:00:42 +0000

shizkani, the short answer is "NO", unless you use something like the IE VML vulnerability. chown,

A type of Remote Control Software that enables a third party to covertly control system resources.wetstonetech

What do you think a backdoor is?

By: chown

chown — Wed, 27 Sep 2006 04:19:03 +0000

How can you call it backdooring? You’re simply embedding javascript in flash. Please explain your definition of ‘backdoor’

By: shizkani

shizkani — Tue, 26 Sep 2006 23:52:00 +0000

can you make this exploit download and execute a RAT server to someine who views the corrupted .swf file ..??
if so can someone please explain to me how i would make it possible..
thanks..

By: pdp

pdp — Fri, 15 Sep 2006 15:51:11 +0000

I know. This article is just a POC on how easy it is to backdoor any given flash object.

By: Vladislav 'dgtlscrm' Mysla

Vladislav 'dgtlscrm' Mysla — Fri, 15 Sep 2006 13:59:44 +0000

Using javascript protocol is well known technique

By: pdp

pdp — Fri, 08 Sep 2006 07:25:54 +0000

Definitely,

I would like to see your malware. I won’t be able to attend these conferences but I will be vary happy to get some of your slides.

I am also working on some advance techniques that will go into AttackAPI and my blog quite soon.

By: Acidus

Acidus — Fri, 08 Sep 2006 02:50:42 +0000

pdp,

I love what you are doing so please keep up the good work. For far too long people have thought that JavaScript is a toy language and that XSS can only annoy and steal the occasional cookie. I applaud the work you have been doing.

Acidus,

ps: I’m going to be dropping some JavaScript malware 0day in a week of back to back conferences (Toorcon-Ajax World-Security Opus) that I thhink you will find interesting…

By: pdp

pdp — Wed, 06 Sep 2006 20:51:45 +0000

Well, then my POC won’t work. It is that simple. However, keep in mind that JavaScript access is not required. Flash objects can be backdoored with ActionScript quite successfully and the attacker is given the same level accessibility; sometimes even more.

By: dev>null

dev>null — Wed, 06 Sep 2006 17:15:29 +0000

um … what about allowScriptAccess=”never”?

By: pdp

pdp — Wed, 06 Sep 2006 07:02:12 +0000

There are no stupid questions.

I don’t think that there is simple way of protecting against media file malware. Of course the most obvious approach will be to disable or filter out embed an object tags. However, this will make MySpace pages highly unattractive because people won’t be able to show their YouTube movies for example.

Yeh, I might think about favicon. Why not?

By: nrg

nrg — Wed, 06 Sep 2006 01:05:22 +0000

“First of all, wrapping your malicious code inside flash files will bypass all XSS filtering systems (…)”

Hadn’t thought about that. It’s clear for me now, thanks for the fast explanation. Actually after thinking a bit about it was a really dumb question.

So how can websites like myspace protect them selfs from being hijacked by an ‘infected’ swf? (i’m not a user from my space but i think they allow the use of SWFs in users accounts). Time to read how you managed to do it with quicktime.

PS: Stupid suggestion, can you get a favicon? I would like to have it on my bookmark.