From simple bug bounty to mass discovery of XSS vulnerabilities
During my testing in a public bug bounty program awhile ago, I discovered an xss vulnerability, which turned out to be an 0day that affects thousands of sites worldwide. The vulnerable software turned out to be flippdf by flipbuilder, which is a pdf to flash/html5 converter for online magazines/brochures/ebooks etc to be published on websites. After I did some google dorking out of pure curiousity and downloaded a trial of the newest version to verify that the software was still affected, I decided to decompile the software. The vulnerable piece of code turned out to be:
public function
&n():String{
var
url:* = null;
var
link:* = null;
try
{
url = this.,!1("currentHTMLURL", null);
link = ((url)!=null) ? url : ExternalInterface.call("eval",
"window.location.href");
return (link);
}
catch(e:Error) {
};
return ("");
}
For anyone,
who's familiar with XSS in flash files, you'll notice that the
vulnerability occurs due to the ExternalInterface.call function, just
like the flashmediaelement.swf xss vulnerability (CVE-2016-4566)
(https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c)
which caused every domain running wordpress to be vulnerable (and
many others aswell).
A vulnerable
domain would be xss'ed as soon as you click the link and scroll to
the next page, as demonstrated in the url below (use firefox or
another browser that is still compatible with flash)
I contacted the
flipbuilder customer service on March 30 and asked them to forward my
information to their developers. Unfortunately though, it turned out
that the next patch didn't fix the flaw, which made me contact them
again in my support ticket. Afterwards, the recent updates still
haven't patched the vulnerability, which means all the domains are
still vulnerable today...
I decided to send then an email again later on, but after receiving no response, I realized I couldn't do much about this anymore. I contacted mitre.org to get my CVE ID reserved as CVE-2017-7384 and decided to take a deeper look into the google search results
Identifying
vulnerable flipbook files through google dorking
inurl:bookContent.swf
(14.800 results, all flippdf)
inurl:book.swf
(79.100 results, not all of them are flippdf)
inurl:mobile/index.html
flip (106.000 results, not all of them are flippdf)
As a result of
my google dorking, I could conclude that the vulnerable domains
include: Government sites, universities, banks, Brazilian and
Argentinian military sites, major companies like HP and netgear and
plenty of other stuff, which I reported through open bug bounty. I
picked the interesting results from my google dorking and reported
the flaws, which can be seen in my submission list at
https://www.openbugbounty.org/researchers/Thirup/.
I only received
a response from the teams responsible for in.gov, uni.edu,
netgear.com, pittsburghpa.gov and fitnyc.edu. All of these
appreciated my reporting and decided to remove the software from
their domain. I've done all I could to report this vulnerability as
responsibly as possible, but when the developers don't fix the
vulnerability and only 5 out 140 people seem to respond to reporting
of security issues in their domains, it's hard to do more than I've
already done for now