.comment-link {margin-left:.6em;}
Xavier's Security Post
Monday, June 05, 2006
  Your Space, My Flash, His Cookies
I've spent some time looking at Flash files, and the ActionScript code within, looking for vectors of attack. I've found that high profile sites the likes of MySpace, Xanga, and Google (the da vinco promotions) are quick to embed promotional Flash objects on their pages without proper assessment.

Imagine a situation where an advertiser creates a quick and almost seemingly innocent Flash animation, but inside in its Action frames there is something quite wrong. Now imagine the "wrong" I reference is actually the following:
getURL(clickTag, "_top");
The above code is executed when a user clicks on the banner, and clickTag (for example) is actually a variable with a value specified inside the site (usually something like: "http://adstracking.whatever.com/redir?url=http://ads.hatever.com/ads.aspx?ad=124"). It ends up opening up a vector of attack: Cross Site Scripting. It should be noted that in order for the XSS attack to occur, the victim must click on the image/ad once they've been redirected to the malicious URL.

The vulnerability above is not new, in fact the research was carried out by a firm called "Scan Security Wire" a few years ago. They discovered that advertisers were (and still are) using a simple click tracking mechanism. The code was widely distributed among advertiser sites and affiliates, the problem of course was that it was not properly evaluated. One has to wonder why even to this day, three years after the discovery and updated guide, high profile sites still fall prae to it.

Searching google for "clicktag" produces about thirty thousand pages. Some hits are caches of the vulnerability advisory, others are vulnerable sites, and the rest are advertisers showing clients how to create vulnerable clickTAG-style Flash files. Disinformation.

The following URLs are evidence that high profile advert networks and cooperations are spreading the vulnerability:

MSN, MSN #2 (.pdf), MSN #3, MSN #4, MSN #5, MSN #6, MSN #7, MSN #8, MSN #9, MSN #10, MSN #11
Yahoo (.pdf), Yahoo #2
Doubleclick, Doubleclick #2 (.pdf)

CNET (.doc)
Oxygen (.pdf)
OSTG / Slashdot (.pdf)

The high profile sites mentioned above are continuously propagating out-dated and vulnerable clickTAG code which will then spread through their advertisers. Those advertisers will turn around and upload their vulnerable .swf files to their web servers, or their marketing networks, and open up the XSS attack vector.

XSS (Cross Site Scripting) is not severe enough that you can execute remote commands on a server, but client-side it can be a mess. The Samy and GodOfTheNoose worms that spread to millions of users worldwide on MySpace (though malicious only in its infection and propagation) cost MySpace hours of work, a multitude of bandwidth costs (due to the spread) and presumably left a bad taste in the mouth of advertisers and cooperate owners of the site.

I've contacted MySpace recently concerning several XSS holes specific to the clickTAG vulnerability, same goes for Xanga. One has to assume a multitude of high profile sites are affected by this bug. Below are some Proof of Concepts of the attack mentioned in this post:
MySpace: #1, #2, #3, #4, #5, #6, #7, #8, #9
Yahoo: #1
Xanga: #1
It should be noted that Google, AOL, and Time (magazine), among others, seem to have directed their advertisers into the right direction by showing real-world examples of working examples that do not compromise their security. Example:
Comments: Post a Comment

<< Home
This public blog will be a place for me to output any Security findings, both technological and physical, that I have come about. I will post Security advisories I was apart of, and also other interesting bits of knowledge. email: xavier [at] tigerteam.se

Rocks Clusters <=4.1 mount-loop local root
Rocks Clusters <=4.1 umount-loop local root
TSEAD-200606-6 - Rocks Clusters <=4.1 local root
xorgmodroot.py - Xorg-server 1.0 / <=X11R6.9.0-7.0 local root
TSEAD-200509-5 - Multiple Netscape.com vulnerabilities.
TSEAD-200512-3 - Multiple vulnerabilities in KISBG <=v5.1.1
fsigk_exp.py - FSIGK for Linux <=2.10-431 local root
TSEAD-200510-4 - FSIGK for Linux <=2.10-431 advisory
ritk.php - remote inclusion pentest tool
owm_exp.py - openwebmail <=2.51+ local root
perliodebug_exp.py - perlIO_debug 5.8.* local root
bankfix.py - bank card number lookup tool
TSEAD-200412-2 - AOL XSS/file read vuln
TSEAD-200412-1 - AOL redir vuln

September 2005 / October 2005 / November 2005 / December 2005 / March 2006 / April 2006 / May 2006 / June 2006 / July 2006 / September 2006 / October 2006 /