środa, 7 stycznia 2015

yammer.com - Same Origin Method Execution

SOME ;-) time ago@BenHayak talked about Same-Origin Method Execution on BlackHat EU. At the time of posting this article, there's no public whitepaper yet (only leaked slides) - that's why I'd love to share one of first posts that show this attack in action.

Yammer.com is part of Microsoft Bug Bounty for Online Services. During some research in used Flash files I found this one: video-js.swf (source).

Take a look to this piece of code:



As far as you probably know - the ExternalInterface is ActionScript class that allows (for example) to communicate Flash object with browser’s Javascript. First parameter is function name, that we want to call. As you can see - it’s readyFunction parameter (from GET), but it’s also sanitized with cleanEIString which looks like this:


So - only chars we are able to use is alphanumeric, underscore and a dot - to prevent Cross-Site Scripting. For example - if we’ll provide readyFunction=alert - our flash file will execute alert function, but we have no control over arguments (because we can't use brackets), so it’s useless for XSS purposes.

...and here is the place where we can start talking about Same-Origin Method Execution :-) Let take evil.com, that have hyperlink to vulnerable videoplayer. After clicking to this link, it opens the flash file in new tab, and next - redirect evil.com to yammer.com (in the same tab). From now on - newly opened tab have access to previous tab by window.opener (because they are both in Same Origin - yammer.com), and it’s also able to access DOM and execute functions in context of opened yammer.com page. 

The goal is to authorize user to some malicious application without his knowledge. Attack scenario will look this way:

1. User is visiting evil PoC site
2. He/she clicks on link which -in the end - redirect user to video player with readyFunction param described later
3. We’re redirecting Poc site to our yammer.com application - all we need to know is client_id - link example here: 


4. We need to wait few seconds to be 100% sure that redirect from point 3 happend (that's why I used proxy.php that sleeps and then returns 30x).
5. Flash Video Player will execute this readyFunction:

window.opener.new_message_popup.nextElementSibling.lastElementChild.firstChild.nextElementSibling.click()

...which is simply the “Allow” button + click() function :->

As you can imagine - this will cause clicking on the button and authorizing application to victim’s account, which is dangerous. :)

Proof of Concept goes here: http://ropchain.org/poc/yammer-some.html

...and demo:


22 komentarze:

  1. Nice! Just saw the BlackHat talk. A minor correction, readyFunction=alert isn't completely useless. @garethheyes have some interesting payloads that work without paranetsis, document.domain=name might pass forexample.

    OdpowiedzUsuń
  2. GBWhatsApp - It will help you to get rid of most of those restrictions that the official version imposes on you. In simple words, the gbwa is a modded application which has some extra features that you won’t be able to find in the stock version. Some of the most noteworthy and popular features of the gbwa mod are hiding blue tick, online status, last seen, theme customizations and the brand new auto-reply.

    Lucky Patcher app is an android tool to change permission on android apps, block ads, get free in app purchases from android apps and games. Lucky patcher can be used on android and also on PC or windows with the help of bluestacks.

    OdpowiedzUsuń
  3. Enjoyed reading the article above , really explains everything in detail,the article is very interesting and effective.Thank you and good luck for the upcoming articles.Data science training in Pune| Data science courses in pune

    OdpowiedzUsuń
  4. hello ,
    such a great article thanks for sharing , really you writte well article as always , thanks again for this amazing article


    gbwhatsapp

    OdpowiedzUsuń
  5. A befuddling web diary I visit this blog, it's incredibly grand. Strangely, in this present blog's substance made motivation behind fact and sensible. The substance of information is instructive
    Oracle Fusion Financials Online Training
    Oracle Fusion HCM Online Training
    Oracle Fusion SCM Online Training

    OdpowiedzUsuń
  6. Nice Article…..
    Really appreciate your efforts
    Romantic Shayari

    OdpowiedzUsuń
  7. Use dual account with Gb whatsapp Apk Latest Application With free of cost.

    OdpowiedzUsuń
  8. Thanks For This Information please visit our website ApkGlo To Download fresh android apps.

    OdpowiedzUsuń
  9. GBWhatsapp It will help you to get rid of most of those restrictions that the official version imposes on you. In simple words, the gbwa is a modded application which has some extra features that you won’t be able to find in the stock version. Some of the most noteworthy and popular features of the gbwa mod are hiding blue tick, online status, last seen, theme customizations and the brand new auto-reply.

    OdpowiedzUsuń
  10. Lucky Patcher gives you unlimited in-game resources & removes ads from any type of android application.

    GBWhatsApp Apk:

    GBWhatsApp is the best version of Official WhatsApp.

    OdpowiedzUsuń
  11. Nice post. I learn something totally new and challenging on websites I stumbleupon every day. It's always useful to read through articles from other authors and practice something from other sites.
    Thanks for sharing this information with us. Download Free Xmod and information.
    .

    OdpowiedzUsuń
  12. Great information for new guy like me. This shows not only particular heck but also give idea about. Thanks for sharing this information. How to download instagram videos free

    OdpowiedzUsuń