[WEB SECURITY] Bug in Internet Explorer security model when embedding Flash

Guy Aharonovsky guy at jajah.com
Mon Sep 15 05:04:18 EDT 2008

Taken from my blog:


Update: I've posted a real world example of this bug being exploited<http://blog.guya.net/2008/09/14/encapsulating-csrf-attacks-inside-massively-distributed-flash-movies-real-world-example/>.

This one has the same behavior on IE6, IE7 and IE8 betas.

I have only tested this with Flash swf files, but it's likely that this security is applied and broken the same way, when navigating to different types of files.

When loading Flash file (swf) directly inside the browser without an html page container, for ex: http://example.com/game.swf , most browsers create an html page automatically and embed the swf inside it. FireFox and Google Chrome, for that matter, automatically create an embed tag with some default values, and IE uses this mshtml script (res://mshtml.dll/objectembed_neutral.js<res://\\mshtml.dll/objectembed_neutral.js>) to load the object.

The fact that this automatically created embed tag doesn't mention the allowscriptaccess property it's defaulted to samedomain. This way the swf file can script the automatically generated html page it resides in, using ExternalInterface<http://blog.guya.net/2006/06/19/understanding-flash%E2%80%99s-externalinterface/>, leading to a major security flaw. I will post about a real world example of this security flaw, shortly.

Internet Explorer, rightfully, consider this generated page as less secure and as such restrict access to the JavaScript document object. It's preventing from the embedded swf to script the DOM of the page.

Just test it, go to any swf file<http://www.google.com/search?q=filetype%3Aswf> on the web using Internet explorer, then run this script in the address bar javascript:alert(document); you'll see the error "Access is denied". Touching the document is prohibited!

[cid:image001.png at 01C9172B.2E538D70]<http://blog.guya.net/wp-content/uploads/2008/09/error-access-denied.png>

But, all that is needed to compromise this security feature in IE is to reload the page. That's it, just reload the page once by pressing F5. Run the script again javascript:alert(document); you'll see the precious document and no error will be thrown.

Since most of the other javascript objects are still available and among these is the window native object. A swf file, for example, can reload the page on its own using window.location.reload() and then will be able to bypass the restriction and freely manipulate the page.

This script can run from inside the swf using ExternaInterface.call("eval", "script"); If the "try" clause fail it's probably an IE browser and the page will reload immediately without the user noticing. The 2nd time the page loads the "try" clause won't fail.

 1.  try{
 2.  $d = document;
 3.  //Mess with the DOM
 4.  }catch(ex){
 5.  window.location.reload();
 6.  }

I was impressed that Microsoft implemented such a security feature as opposed to FireFox, Chrome and others who don't have a similar restriction. but, it needs to be done right otherwise it misses the point.

As I said, I'll post a real world example of this being exploited, soon.

Call me free at: http://jajah.com/guy
Visit me at: http://guya.net<http://guya.net/> & http://jajahdevblog.com/guy

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080915/923cd293/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 6016 bytes
Desc: image001.png
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080915/923cd293/attachment.png>

More information about the websecurity mailing list