Re: Design flaw in AS3 socket handling allows port probing

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Design flaw in AS3 socket handling allows port probing
From: fukami <fukami@xxxxxxxxxxxxxx>
Date: Thu, 20 Dec 2007 23:53:01 +0100
Cc: webappsec@xxxxxxxxxxxxxxx, full-disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>, websecurity@xxxxxxxxxxxxx
In-reply-to: <CA49DA1D-C661-443A-B176-4CD3C7E3D4F8@xxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <CA49DA1D-C661-443A-B176-4CD3C7E3D4F8@xxxxxxxxxxxxxx>

Adobe released an article at their knowledge base regarding this issue.

# Socket connection timing can reveal information about networkconfiguration

  http://kb.adobe.com/selfservice/viewContent.do?externalId=kb402956

The fix is to disable socket functionality for Flash Players version>= 9.0.115 by configuration.



Take care,
  fukami


On 09.08.2007, at 20:21, fukami wrote:

Design flaw in AS3 socket handling allows port probing

# Summary
Due to a design flaw in ActionScript 3 socket handling, compiledFlash movies are able to scan for open TCP ports on any hostreachable from the host running the SWF, bypassing the Flash PlayerSecurity Sandbox Model and without the need to rebind DNS.
[...]
# PoC
   * http://scan.flashsec.org/
[...]
# CVE
    * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4324

References:
- Design flaw in AS3 socket handling allows port probing
  - From: fukami

Prev by Date: [SECURITY] [DSA 1436-1] New Linux 2.6.18 packages fix several vulnerabilities
Next by Date: CFP CISIS '08
Previous by thread: Design flaw in AS3 socket handling allows port probing
Next by thread: VNSECON07 Materials released
Index(es):
- Date
- Thread