onsdag den 31. maj 2017

CVE-2017-7384: Reflected XSS in flippdf leaves thousands of websites vulnerable (0day)



From simple bug bounty to mass discovery of XSS vulnerabilities

During my testing in a public bug bounty program awhile ago, I discovered an xss vulnerability, which turned out to be an 0day that affects thousands of sites worldwide. The vulnerable software turned out to be flippdf by flipbuilder, which is a pdf to flash/html5 converter for online magazines/brochures/ebooks etc to be published on websites. After I did some google dorking out of pure curiousity and downloaded a trial of the newest version to verify that the software was still affected, I decided to decompile the software. The vulnerable piece of code turned out to be:

public function &n():String{
var url:* = null;
var link:* = null;
try {
url = this.,!1("currentHTMLURL", null);
link = ((url)!=null) ? url : ExternalInterface.call("eval", "window.location.href");
return (link);
} catch(e:Error) {
};
return ("");
}

For anyone, who's familiar with XSS in flash files, you'll notice that the vulnerability occurs due to the ExternalInterface.call function, just like the flashmediaelement.swf xss vulnerability (CVE-2016-4566) (https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c) which caused every domain running wordpress to be vulnerable (and many others aswell).

A vulnerable domain would be xss'ed as soon as you click the link and scroll to the next page, as demonstrated in the url below (use firefox or another browser that is still compatible with flash)


I contacted the flipbuilder customer service on March 30 and asked them to forward my information to their developers. Unfortunately though, it turned out that the next patch didn't fix the flaw, which made me contact them again in my support ticket. Afterwards, the recent updates still haven't patched the vulnerability, which means all the domains are still vulnerable today...



I decided to send then an email again later on, but after receiving no response, I realized I couldn't do much about this anymore. I contacted mitre.org to get my CVE ID reserved as CVE-2017-7384 and decided to take a deeper look into the google search results

Identifying vulnerable flipbook files through google dorking

inurl:bookContent.swf (14.800 results, all flippdf)
inurl:book.swf (79.100 results, not all of them are flippdf)
inurl:mobile/index.html flip (106.000 results, not all of them are flippdf)

As a result of my google dorking, I could conclude that the vulnerable domains include: Government sites, universities, banks, Brazilian and Argentinian military sites, major companies like HP and netgear and plenty of other stuff, which I reported through open bug bounty. I picked the interesting results from my google dorking and reported the flaws, which can be seen in my submission list at https://www.openbugbounty.org/researchers/Thirup/.

I only received a response from the teams responsible for in.gov, uni.edu, netgear.com, pittsburghpa.gov and fitnyc.edu. All of these appreciated my reporting and decided to remove the software from their domain. I've done all I could to report this vulnerability as responsibly as possible, but when the developers don't fix the vulnerability and only 5 out 140 people seem to respond to reporting of security issues in their domains, it's hard to do more than I've already done for now



Ingen kommentarer:

Send en kommentar

CVE-2017-7384: Reflected XSS in flippdf leaves thousands of websites vulnerable (0day)

From simple bug bounty to mass discovery of XSS vulnerabilities During my testing in a public bug bounty program awhile ago, I discover...