Adobe Systems has released Adobe Flash Player version 14.0.0.145 for Mac and Windows. Adobe pushed a fix in the Flash Player update that removes a security vulnerability (CVE-2014-4671), which could be used to abuse JSONP endpoints by making a victim perform arbitrary requests to vulnerable domains and expose sensitive data.
Security researcher Michele Spagnuolo disclosed the vulnerability by first notifying affected companies before releasing the code and publishing further details about it. On his blog, Michele explained that abusing JSONP endpoints could be done by using Rosetta Flash, “a tool for converting any SWF file to one composed of only alphanumeric characters in order to abuse JSONP endpoints, making a victim perform arbitrary requests to the domain with the vulnerable endpoint and exfiltrate potentially sensitive data.”
For those interested in learning more about Rosetta Flash, Michele published a set of comprehensive slides (PDF). In the slides, he outlines the Rosetta Flash attack scenario.
1. The attacker controls the first bytes of the output of a JSONP API endpoint by specifying the callback parameter in the request.
2. SWF files can be embedded using an <object> tag and will be executed as Flash as long as the content looks like a valid Flash file.
<object type=”application/x-shockwave-flash” data=”https://accounts.google.com/RatePassword?callback=CWSxx…“></object>
3. Flash can perform GET and POST requests to the hosting domain with the victim’s cookies and exfiltrate data.
The security researcher is scheduled to present the vulnerability at Hack In The Box: Malaysia in October, and the Rosetta Flash technology will be featured in the next PoC||GTFO release.
According to Adobe’s security bulletin (APSB14-17), Adobe Flash Player 14.0.0.145 addresses the following critical vulnerabilities:
Users of Adobe Flash Player 14.0.0.125 and earlier versions for Mac and Windows should update to Adobe Flash Player 14.0.0.145 as soon as possible. Users of Adobe Flash Player 11.2.202.378 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.394. Adobe Flash Player 14.0.0.125 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 14.0.0.145 for Windows, Mac and Linux. Users of Adobe AIR 14.0.0.110 and earlier versions should update to Adobe AIR 14.0.0.137.