Flash and Shockwave Plugin Vulnerabilities

First a little bit about Flash & Shockwave: For those who already have the plugins installed, you may never need to know/think about the differences. However there are some significant differences. You can see How Stuff Works or Adobe for a couple short explanations of the differences, or you can accept my even shorter one: Both formats allow for rich media and interactive content, but Flash creates smaller files, is an open format, and has wider deployment, whereas Shockwave is a compiled, propriety format and allows much more complexity in what it can do.

Also, it's important to note that if you are a user of a platform like FreeBSD, which does not have flash support, you might try to say that it's automatically evil; right Fotios? :P (I'm not saying it isn't used for evil by some sites, I'm just saying that I've won like thousands of dollars in free iPods, PSPs, PS3s, gift certificates, and big screen TVs by throwing tomatoes at Kevin Federline, punching out Paris Hilton and/or Osama Bin Laden, swimming faster than sharks, or shooting alien ships, so it can't be all bad, right? ;))

In 2005 Adobe acquired Macromedia. So while you may still be thinking in your head "Macromedia Flash" or "Macromedia Shockwave" (I know I was), I'm just going to refer to all these as Adobe vulnerabilities so I don't have to try to be correct for whatever it was called whenever the vulnerability was released. In some cases this may lead to me saying Adobe did something which Macromedia did, so just bear with me.

CVE-2006-5330: This is a quite interesting vulnerability. I recommend reading the original Bugtraq Post for all the gory details from the discoverer, as it is a quite thorough description. The gist of it is that the vulnerability can facilitate a Cross-site Request Forgery(CSRF) attack (something I will make an article about later), which means the malicious website can cause you to make website requests you might not have made otherwise. The common use for this type of attack is to force you to make a request when you are possibly still authenticated to some website like a bank, and thus you accidentally have gone to a URL which does a money transfer (as a commonly given example).

CVE-2006-4640: This one is a bypass to the allowScriptAccess parameter in Flash. Essentially, this means that prior to this fix, a malicious .swf file could break out of it's own security domain and access other ones.

CVE-2006-3588: A simple crash, but it crashes your entire browser.

CVE-2006-3587: A remote code execution vulnerability, but the original advisory doesn't really give any details.

CVE-2006-3311: Another remote code execution advisory, but this one's advisory at least gives a few details.

CVE-2006-0585: Crash. The CVE says the problem is caused via a "Shockwave Flash object." What's that? :). The actual problem seems to be with ActionScript. ActionScript "calls VBScript, which in turn calls the Javascript document.write function, which triggers a null dereference." This one is currently unpatched.

CVE-2006-0024: Here's one where either Adobe was ahead of the game in finding a bunch of vulnerabilities, or someone informed them and didn't want credit. So "multiple unspecified vulnerabilities" can lead to code execution via a .swf file. This also included vulnerabilities in Shockwave.

CVE-2005-3591: Crash and/or potential code execution. The vulnerability for this is in the ActionScript, and specifically the function ActionDefineFunction() which is not properly sanitized.

CVE-2005-3525: This is actually sort of a mixed bag, but I will list it to try to be complete. It's caused directly by a buffer overflow in an ActiveX component which comes with the Shockwave player installer. So in this case it's the act of installing the plugin which leads to the vulnerability, but it's still a plugin problem.

CVE-2005-2628: The original advisory for CVE-2005-3591 stated that this one was an ActionScript vuln too, just in a different function. I will take their word for it as the eEye advisory mentions vulnerable functions, but does not mention ActionScript specifically. As with CVE-2005-3591, this is a remote code execution vulnerability.

Please note that there are more vulnerabilities for Flash and Shockwave. However, most of the ones I have left out are so-called "semanic attacks" which means they're more about tricking a human to interpret something incorrectly (think phishing), and are therefore outside of the scope of what honeyclients can protect against. Others I have left out are simply because they're not within the 2005/2006 timeframe.

The takeaway point is, unless you are one of the few who browses without these plugins, or with them disabled, you are probably executing these active content files silently all the time. In many cases the transitioning from the classic animated GIF banners to Flash banners is non-obvious, and thus Flash files in particular are more prevalent than you may even know. In other cases, some websites have moved to pure Flash/Shockwave interfaces. As with other plugins, it is yet another vector for someone to exploit your client.

Now that you've seen a few of the vulnerabilities which are directly related to ActionScript, it might interest you to know that Adobe has recently donated a new open source implementation of the ActionScript VM to the Mozilla foundation. It will be interesting to see if this leads to more ActionScript vulnerabilities being found now that FireFox is becoming an attractive target.

For more about how the HoneyClient project is attempting to deal with active content, including Flash, which doesn't allow the simple extraction of links for spidering like HTML does, see here.