onsdag den 31. maj 2017

CVE-2017-7384: Reflected XSS in flippdf leaves thousands of websites vulnerable (0day)

From simple bug bounty to mass discovery of XSS vulnerabilities

During my testing in a public bug bounty program awhile ago, I discovered an xss vulnerability, which turned out to be an 0day that affects thousands of sites worldwide. The vulnerable software turned out to be flippdf by flipbuilder, which is a pdf to flash/html5 converter for online magazines/brochures/ebooks etc to be published on websites. After I did some google dorking out of pure curiousity and downloaded a trial of the newest version to verify that the software was still affected, I decided to decompile the software. The vulnerable piece of code turned out to be:

public function &n():String{
var url:* = null;
var link:* = null;
try {
url = this.,!1("currentHTMLURL", null);
link = ((url)!=null) ? url : ExternalInterface.call("eval", "window.location.href");
return (link);
} catch(e:Error) {
return ("");

For anyone, who's familiar with XSS in flash files, you'll notice that the vulnerability occurs due to the ExternalInterface.call function, just like the flashmediaelement.swf xss vulnerability (CVE-2016-4566) (https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c) which caused every domain running wordpress to be vulnerable (and many others aswell).

A vulnerable domain would be xss'ed as soon as you click the link and scroll to the next page, as demonstrated in the url below (use firefox or another browser that is still compatible with flash)

I contacted the flipbuilder customer service on March 30 and asked them to forward my information to their developers. Unfortunately though, it turned out that the next patch didn't fix the flaw, which made me contact them again in my support ticket. Afterwards, the recent updates still haven't patched the vulnerability, which means all the domains are still vulnerable today...

I decided to send then an email again later on, but after receiving no response, I realized I couldn't do much about this anymore. I contacted mitre.org to get my CVE ID reserved as CVE-2017-7384 and decided to take a deeper look into the google search results

Identifying vulnerable flipbook files through google dorking

inurl:bookContent.swf (14.800 results, all flippdf)
inurl:book.swf (79.100 results, not all of them are flippdf)
inurl:mobile/index.html flip (106.000 results, not all of them are flippdf)

As a result of my google dorking, I could conclude that the vulnerable domains include: Government sites, universities, banks, Brazilian and Argentinian military sites, major companies like HP and netgear and plenty of other stuff, which I reported through open bug bounty. I picked the interesting results from my google dorking and reported the flaws, which can be seen in my submission list at https://www.openbugbounty.org/researchers/Thirup/.

I only received a response from the teams responsible for in.gov, uni.edu, netgear.com, pittsburghpa.gov and fitnyc.edu. All of these appreciated my reporting and decided to remove the software from their domain. I've done all I could to report this vulnerability as responsibly as possible, but when the developers don't fix the vulnerability and only 5 out 140 people seem to respond to reporting of security issues in their domains, it's hard to do more than I've already done for now

Hacking the military for fun and non-profit


The US Department Vulnerability report program is an initiative that was launched in November 2016. The program was designed for hackers to responsibly report vulnerabilities on the defense.gov domain or any .mil domain through the bug bounty platform hackerone. During this writeup I will summarize the vulnerabilities I was able to identify and report responsibly. The vulnerabilities mentioned are listed in order based on their severity

open redirection vulnerabilities on econnect.dcma.mil and login.us.army.mil

During my testing, I discovered two websites in scope, that were vulnerable to open redirections. An open redirect is usually considered a minor vulnerability, yet still listed in owasps’ top 10 vulnerability list. It allows you to redirect your victim to a site through a url-parameter. This can be abused to redirect a user to a phishing site, where they might enter their login credidentials or a malware site to infect them. I sent the following urls as Proof of concept of the vulnerabilities, which were fixed rather quickly

8 Cross Site Scripting (XSS) vulnerabilities

Cross Site Scripting is one of the most common web-based vulnerabilities, and I was able to identify multiple of these on multiple domains belonging to the army aswell as the navy the National Geospatial-Intelligence Agency, The Defense Manpower Data Center and the environmental laboratory. The vulnerability allows an attacker to inject javascript code into a vulnerable parameter, which can be abused for plenty of things, including cookie hijacking or even infecting your victim’s computer with a driveby-exploit.

Vulnerable domains:
www.dmdc.osd.mil abi.army.mil www7320.nrlssc.navy.mil (2 vulns) www.nwd-wc.usace.army.mil (2 vulns) moh.cecer.army.mil msi.nga.mil

Gallery of vulnerable websites: http://imgur.com/a/EXdMK

lms.noradnorthcom.mil password reset vulnerability


This vulnerability was quite unique. All it took was some simple logic to figure out a huge configuration flaw that could allow me to reset the password for any user at the United States Northern Command. As most people are familiar with, a typical password reset function would be like this:

  • A user enters his email associated with his account
  • An email is sent, which provides a unique link for password reset for the associated account
  • The user enters his new password

The issue with this domain was that the “unique link” wasn’t used, while the forms for step 3 were easily found, which allowed me to to skip phase 1 and 2 mentioned above by simply changing the flag value in the url from 0 to 1. Doing this would send me to the forms attached at screenshot 2, where I would be able to change any password for an associated user without any additional information being required

SQL injections at egeoint.nrlssc.navy.mil and moh.cecer.army.mil

As the last part of this writeup I also have two SQL injections at subdomains belonging to the navy and the army. SQL injection is an old critical vulnerability, where an attacker can inject arbitrary SQL code into a parameter, which can compromise the database(s). It’s an old kind of vulnerability that most people learn how to defend themselves against, but unfortunately there are still plenty of incidents where major organisations get compromised this way.

As you can see in the response code, the vulnerability in moh.cecer.army.mil was caused by a vulnerable login form, where the username-field was vulnerable


It’s a great step for both parts that the US DoD allows people in the hacking community to identify weaknesses in their systems for responsible disclosure. Lots of ethical hackers have previously reported weaknesses in DoD systems, but right now they/we can spare a lot of time trying to reach through to the right individuals, now that the people who are running the program at hackerone will take care of that part for you. The only negative thing is the fact that it takes a lot of times for their teams to resolve your reports even after the bugs have been fixed, which is rather a symptome of lots of reports coming in and a limited amount of ressources. Reporting these vulnerabilities put me at an 11th place out of 270 participants the scoreboard at https://hackerone.com/deptofdefense/thanks

The fact that I was able to identify a password reset vulnerability and two SQL injections, while other people have identified other critical vulnerabilities, proves that encouraging ethical hackers to identify and report weaknesses in critical systems is definitely necessary. While the US DoD program doesn’t award people with bounties, it’s a great opportunity for anyone to test their skills and get recognition for their efforts, especially due to its huge scope

CVE-2017-7384: Reflected XSS in flippdf leaves thousands of websites vulnerable (0day)

From simple bug bounty to mass discovery of XSS vulnerabilities During my testing in a public bug bounty program awhile ago, I discover...