« [OT] Adobe India CEO's son rescued | Main | ActionScript 3.0 Tutorials - AS3 Primer - Packages »

User Privilege Gain using Flash Active X Flaw ??!

Listen to this article Listen to this article :: Talkr

Most of you would have noticed that my site was down for almost two weeks without any notice. When I checked with my service provider he goes "We have received complaints from our data center that your site is causing some serious security violation" and when I dug into this further he says that a Flash file was being used to compromise the system. Holy crap!! What the hell are you saying? I knew that there was a Active X flaw in Flash Player earlier which gives the ability to do a buffer overflow hack (whatever that means) but I have only read about such things in Wired magazine and have never even done anything close to that.

After hours (or should I say days) of investigation I was told that the file in question was the example SWF which I posted for this entry in my blog. The file is a very simple example which uses the ContextMenu API to open a link in a new window and how could that possibly cause a security violation and that too of this intense a nature.

This was the message which I got from my service provider:

------------------------------------------------------------------------------------------------------
From: xxxxxx
Sent: 09 November 2006 18:11
To: xxxxxxxxxxx
Subject: SNORT ALERT: 1 in Application:snort:ALERT
--------------------------------------------------------------------------------

EVENT #
353
EVENT LOG
Application
EVENT TYPE
Information
SOURCE
snort
EVENT ID
1
COMPUTERNAME
xxxxx
TIME
11/9/2006 6:11:16 PM
MESSAGE
[1:7978:2] WEB-CLIENT ShockwaveFlash.ShockwaveFlash ActiveX CLSID access [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} xx.xx.xxx.xxx:xx -> xxx.xxx.x.xx:xxxx


Does anyone out there have any clue of what had gone wrong? This is the first time in my life I am hearing of anything like this. Believe me I was almost feeling like I am in a deep trouble for nothing. Finally I removed three SWF’s from my site which I suspected to be the troublemakers and got my site to life again. Will someone from Adobe care to look into this?

Posted by Last ActionScript Hero on December 3, 2006 08:36 AM |

TrackBack

TrackBack URL for this entry:
http://www.lastashero.com/blog/mt-tb.cgi/37

Questions & Comments

The Player itself is continuously protected against SWFs which might compromise security or privacy... it's hard to do evil stuff in the sandbox.

But dealing with a bureaucracy's processes and lack of detail is a hard task too. They *could* have told you upfront what they were doing, and later what it is about the common "getURL()" call that they find objectionable in this case.

Sorry, I've no leads either... it looks like the service provider needs to train their staff to speak in complete and comprehensible sentences, in order to find out what they're actually thinking.

Posted by: John Dowdell | December 3, 2006 11:59 AM

Ha ha ha.

Don't you just love it when your web hosting company is run by a bunch of amateurs?

What's happening is that they have a program called SNORT (www.snort.org) monitoring their network that alerts them anytime it thinks it sees indications of malicious activity.

The problem is that the people at your ISP are not cluefull enough to analyze the alert and make an intelligent estimate as to whether this is a real security violation or a "false positive". You can tell they did not do even the most rudimentary analysis by the fact that they believe this file is a danger to their network. If they had gone to: http://www.snort.org/pub-bin/sigs.cgi?sid=7978 and taken the time to read the meaning of this alert they would have realized that the possible security violation would occur not on their servers, but on the home user's computer who tried to access the file through his web browser. It does not affect the security of the hosting company's servers at all.

I would suggest taking a look at the url above so you can figure out how to modify your file so it does not trigger the alert. It is probably easier than trying to convince your service provider they're wrong.

HTH

Posted by: Mike | December 20, 2006 09:43 AM

@JD : Agree with you here JD, ISP's need to train their people on atleast the popular MIME types in the server.

@Mike - You rock man ! Do you by any chance run a webshoting company or what? ;) Thanks for the detailed information.

Posted by: KP | December 25, 2006 05:58 AM

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)