.comment-link {margin-left:.6em;}
Xavier's Security Post
Sunday, May 14, 2006
  Security through Compression...?
While messing around with Flash/ActionScript generating products, I ended up at CoffeCup's Password Wizard product page. Several things came to mind; first: the product claims it can password "protect" unlimited pages, second: it contains absolutely NO warnings about lax in security, and three: it seems to have been downloaded by a large number of people.

The idea behind using a third party language and/or object/application to do password protection client side instead of server side is very dangerous. In this case in order for your password 'protection' to work, a user's browser ends up downloading the .swf file as an object and executes it under the web browsers flash plug in. Once the object is executed, you'll see a login window.

The problem lies in the fact that the authentication handling is done inside that .swf file/object. All an attacker has to do is download the flash file and he/she has the opportunity to see whats inside. It is understandable that the common user doesn't have concepts of security in mind, and sees such products as useful tools for their personal web sites. That is where the things turns ugly.

Imagine a situation where an attacker is aiming to break into a server; he spends his time mapping out the target, scanning for common vulnerabilities, and somehow in the mix discovers a loan password.swf in a users directory. He downloads the file, uses GNU strings to simply gather the logins within.

According to some sites you can secure your flash password protecting file by simply compressing it! I found several other sites claiming the same thing -- but lets just note that compressing the file will simply stop one form of seeing the logins. The other form is simply to decompile the flash file. Read my previous posts to get an idea of what kind of damage a that can do.

Back to the hypothetical story though. By now the attacker has either found the logins he was looking for by using his favorite text editor or GNU strings, or he's gone and decompiled the file. Now with logins at hand, he can extend his penetration by gathering the usernames and passwords, and use them towards his advantage if those same logins happened to be used on the server as well.

With free time I looked through Google for password "protected" sites. Surprisingly I was faced with a rather surprising number of hosts hosting these insecure files. Here are a few I found to be interesting:
http://oal.ohio.gov/Board.swf
http://www.wwfpak.org/images/password.swf
http://www.infoaserca.gob.mx/mexbest/password.swf
http://www.iamb.it/en/password.swf
Governments, Non-profit organizations, Financial firms, Educational institutions, and countless other groups of sites are vulnerable.

Who is to blame? the company who sells a product which contains no warnings of its own insecurities, or the user herself for relying on third party applications?
 
Wednesday, May 10, 2006
  Google/Sony promotional game source code
Due to request, I went ahead and created an upload of the source code.

The archive file is in .RAR format, so if you have WinRAR or some utility to extract the files within, then great.

Also, it should be noted I put all the main Action Script code into individual text files, but if you have Macromedia 8 and ant access to all the images and other misc. source code, then go open up "main-src.fla". It contains everything from the font to sound and back.

Enjoy.

P.S: if the link doesn't work, just let me know.
 
Sunday, May 07, 2006
  Google, Interactive Marketing, and SWF Decompiler
For weeks Google and Sony have been running a promotion for the film The DaVinci Code. It's even linked right on the front page of Google.com, and if you have a Google/Gmail account (and are logged into it) you can easily participate in the promotion by completing several logic games. And, after enduring repetitive content and subliminal messages referring to The DaVinci Code, you may win some prizes. It is called "Interactive Marketing".

In doing some research, it seems the developers of the logic games themselves are not Google folks, but instead flash designers at BIG SPACESHIP. Sony uses the Google.com link and name brand to promote their film, and thats that. All parties are happy, as would anyone in a business deal be.

Curious, and aware that the promotional games were developed in Flash, I went ahead and used a (recent) favorite toy Sothink SWF Decompiler. With it, I was able to decompile the flash file involved and found a few things of interest.

In Sprite 248 (or __Packages.com.sony.davinci.puzzles.hang.HangPuzzle: which seems to be the code the game where you hang paintings on the wall) starting from line 218 to 222:
if (_loc5)
{
big.utils.Out.info(this, "A WINNER IS YOU");
this.onPuzzleCompleted();
}
The quoted bit, "A WINNER IS YOU", is a reference to a Nintendo game called Pro Wrestling. It's used by old time Nintendo gamers, and posers.

In Sprite 255 (or __Packages.com.sony.davinci.puzzles.sudoku.Sudoku: which seems to be the main code for the sudoku logic game) in function setStartPostion(), starting from line 1250 to 1254:
var _loc3 = $who;
if (_selectedPiece == _pieces[_loc3] && Math.abs(_startPoint.x - _selectedPiece._x) < 4.000000E-001 * _pieceLength[_plIndex])
{
big.utils.Out.info(this, "user is idiot clicking. Tell user to stop it.");
}
Apparently there is a human function called 'idiot clicking'.

In Sprite 255 again, in function checkAnswer() from line 796 to 806:
function checkAnswer()
{
if (_gamePositionObj.toString() == _solutionObj.toString())
{
this.onYouWin();
}
else
{
this.onYouSuck();
} // end else if
} // End of the function
If you search for the onYouSuck() function, you'll find on lines 459 to 463:
function onYouSuck()
{
_board.loseAlert._visible = true;
_board.winAlert._visible = false;
} // End of the function
Again, the same reference from Sprite 248 was used in function onYouWin() from lines 464 to 469:
function onYouWin()
{
big.utils.Out.info(this, "a winner is you!");
delete _target.onEnterFrame;
super.onPuzzleCompleted();
} // End of the function
Finally, in function returnSymbol() on lines 710 to 711:
big.utils.Out.warning(this, "RETURN SYMBOL GOT FUX0RED // $mc._name.substr(0,2) = " + $mc._name.substr(0, 2));
break;
I got a kick out of this one because the developers involved did not censor themselves in saying the user idiot clicks, and sucks, Yet the word "Fuck", or in this case "Fucked" is censored.

In Sprite 258 (or __Packages.com.sony.davinci.puzzles.jigsaw.Jigsaw: which seems to be the main code for the Jigsaw game) on line 397 you see all the answers listed in a variable called _LEVELDATA. Apparently these are the answers to all the Jigsaw questions:
Level 1: rows: 4, cols: 4, symbols: 0, City Answer: "newyork", "newyorkcity"

Level 2: rows: 4, cols: 4, symbols: 1, City Answer: "rome", "roma"

Level 3: rows: 4, cols: 4, symbols: 4, City Answer: "london", Trivia Answer: "imperialcollegelondon", "imperial", "imperialcollegeofsciencetechnologyandmedicine", "imperialcollege"

Level 4: rows: 4, cols: 4, symbols: 9, City Answer: "paris", Trivia Answer: "square", "squares", "squarenumbers", "squarenumber", "thesquarenumbers", "thesquares"


In Sprite 259 (or __Packages.com.sony.davinci.puzzles.hang.blobs.BlobsPuzzle: seems to be the code for the Blobs game, where there are globs of crap on the paintings and you need to clean them up) starting with function onPuzzleFailed() on line 255 to 261:
function onPuzzleFailed()
{
var _loc2 = "Sorry, there are no more valid pairs.
Click OK to reset the puzzle.";
clearInterval(_interval);
big.utils.Out.debug(this, "you #%%*ed up");
com.sony.davinci.puzzles.Main.showDialog(_loc2, 0, {str: "OK", obj: this, func: resetPuzzle});
} // End of the function
Here we see another censored comment. In function onPuzzleSolved() on lines 262 to 267:
function onPuzzleSolved()
{
clearInterval(_interval);
big.utils.Out.debug(this, "you are teh winnar");
this.onPuzzleCompleted();
} // End of the function
Explanation of above.

UPDATE:

In Sprite 257 (or __Packages.com.sony.davinci.puzzles.hang.observation.Observation: which seems to be the code for the Observation game) inside function resetPuzzle() you see a _LEVELDATA variable set with questions and answers and they go as follows:
Level 1
Questions:
a) In the video, we see Robert Langdon dusting off a classical symbol, one associated with a character we only see a brief glimpse of in the video. What is the name of that oft-gilded symbol?

b) Symbols, and symmetry, can be seen in the most unlikely of places. One such example is the position of the body at the crime scene, which resembles a drawing also depicted on the obverse of the Italian one-euro coin. What is the name of that famous Leonardo Da Vinci drawing?

c) One of the most iconic symbols of the movie is the cryptex, a small cylinder of stacked marble disks, embossed with letters and sealed with brass caps at either end. The twenty-six letters allow for almost twelve million possible password combinations--11,881,376, to be exact. Armed with that knowledge, can you tell us how many dials it has?

Answers:
a) fleurdelis or fleurdelys
b) vitruvianman or thevitruvianman or canonofproportions or proportionsofman or uomovitruviano or luomovitruviano
c) 5 or five

Level 2
Questions:
a) A seemingly-important stone object is extracted from the ground by Silas. What is its shape?

b) An interesting viewpoint is the vantage point from which we last see Silas. What is the last thing we see him touch?

c) During the action in the video, we see many things shattered and destroyed, but what is it that will ultimately be broken?

Answers:
a) octagon or octagonal
b) holywater or font or "baptismalfont
c) silence or thesilence

Level 3
Questions:
a) Speaking of fascinating characters, there's only one letter in the entire video that is clearly written in lower-case. What is that letter?

b) In just one word, the noble Sir Leigh describes the pursuit that both he and you are on. What is that word?

c) And to bring this back to the topic of movie spectacles, how many times is Sir Leigh shown wearing his? His spectacles, that is.

Answers:
a) f
b) quest
c) 7 or seven

Level 4
Questions:
a) Cryptography is all about noticing numbers and patterns. Here's a simple one to start with: how many glass panes are visible on each of the doors to Sir Teabing\'s mansion?

b) Although it refers to words not spoken, we hear it spoken three times. What is that word?

c) This final question will really test your powers of observation. What is the name of the character shown holding a votive candle holder?

Answers:
a) 9 or nine
b) secret or secrets
c) silas


That is it for now, as it seems nothing more of interest lies in the comments. Let me just note: though this post doesn't discuss any specific vulnerabilities, it was fun regardless to sift through this marketing project and see what kind of stuff Google is willing to plaster on their site.

It also should be noted that you can easily use the decompiled code to create a "crack" for all the logic games. all the answers and puzzles can be solved before you even have to put a thought into it.
 
This public blog will be a place for me to output any Security findings, both technological and physical, that I have come about. I will post Security advisories I was apart of, and also other interesting bits of knowledge. email: xavier [at] tigerteam.se

RECENT RELEASES
Rocks Clusters <=4.1 mount-loop local root
Rocks Clusters <=4.1 umount-loop local root
TSEAD-200606-6 - Rocks Clusters <=4.1 local root
xorgmodroot.py - Xorg-server 1.0 / <=X11R6.9.0-7.0 local root
TSEAD-200509-5 - Multiple Netscape.com vulnerabilities.
TSEAD-200512-3 - Multiple vulnerabilities in KISBG <=v5.1.1
fsigk_exp.py - FSIGK for Linux <=2.10-431 local root
TSEAD-200510-4 - FSIGK for Linux <=2.10-431 advisory
ritk.php - remote inclusion pentest tool
owm_exp.py - openwebmail <=2.51+ local root
perliodebug_exp.py - perlIO_debug 5.8.* local root
bankfix.py - bank card number lookup tool
TSEAD-200412-2 - AOL XSS/file read vuln
TSEAD-200412-1 - AOL redir vuln

ARCHIVES
September 2005 / October 2005 / November 2005 / December 2005 / March 2006 / April 2006 / May 2006 / June 2006 / July 2006 / September 2006 / October 2006 /