Exploit Flash Boundless Tunes - Universal SOP Bypass Through ActionSctipt's Sound Object

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
37851
Проверка EDB
  1. Пройдено
Автор
GOOGLE SECURITY RESEARCH
Тип уязвимости
REMOTE
Платформа
MULTIPLE
CVE
cve-2015-5116
Дата публикации
2015-08-19
Flash Boundless Tunes - Universal SOP Bypass Through ActionSctipt's Sound Object
Код:
Source: https://code.google.com/p/google-security-research/issues/detail?id=354&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

[90-day deadline tracking for https://code.google.com/p/chromium/issues/detail?id=481639]

---
An instance of ActionScript's Sound class allows for loading and extracting for further processing any kind of external data, not only sound files. Same-origin policy doesn't apply here. Each input byte of raw data, loaded previously from given URL, is encoded by an unspecified function to the same 8 successive sample blocks of output. The sample block consists of 8 bytes (first 4 bytes for left channel and next 4 bytes for right channel). Only 2 bytes from 8 sound blocks (64 bytes) are crucial, the rest 52 bytes are useless. Each byte of input from range 0-255 has corresponding constant unsigned integer value (a result of encoding), so for decoding purposes you can use simply lookup table (cf. source code from BoundlessTunes.as).

1. Put attached file BoundlessTunes.swf on the HTTP server.
2. Open http://<SERVER_HOSTNAME>/BoundlessTunes.swf?url=<URL> where <URL> is an URL address (e.g. leading to cross-origin resource). A received response will be displayed in alert window.
---

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37851.zip
 
Источник
www.exploit-db.com

Похожие темы