BugTraq
Exploiting XXE vulnerabilities in AMF libraries Jan 11 2016 01:08PM
Nicolas Grégoire (nicolas gregoire agarri fr)
Hello,

AMF (aka "Action Message Format") is a binary format used by Flash
applications communicating with server-side components. A few data types
supported by AMF deal with XML content (for example the "XML Document"
type in AMF0).

In 2015, several AMF libraries (including BlazeDS and PyAMF) were
identified as vulnerable to XXE (aka "XML External Entity") and SSRF
(aka "Server Side Forgery") attacks. I wrote a blog-post detailing:
- server-side exploitation of the PyAMF vulnerability
- server-side exploitation of the BlazeDS vulnerability
- client-side exploitation of the BlazeDS vulnerability

The article also includes a basic AMF client (in Python) used to exploit
these vulnerabilities (or interact with AMF gateways at large).

Link:
http://www.agarri.fr/kom/archives/2015/12/17/amf_parsing_and_xxe/index.h
tml

Cheers,
Nicolas Grégoire

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAABAgAGBQJWk6k+AAoJEPNA97Htf0f8bugH/RZiPUMyf+uxHJlse2PmFfNT
8pECV8xdyhnC0oNHJ6UmOr1EzqK7aVwQzE56QJ+kQQ3kqbsZK5bU8eaHAGcP7lR7
BFhXYZ1BeANkyHcp6wSMJ+73oawAWqkZK/uocD02QT3ttJraDRcFD/73TCH+sWMx
Uf+u4r8ZGGWbGqcYvmuHHJTsFCbLyoHpHNbKTokKJESZcQ9wshkTUL+ig+9v1YrY
CwEyFO6WD4avkD9BwjM/n42OA8t0J68F2z6HWP8KEMs2FGvmlc+2nijm/96x9Z3s
edZqStaVL+KMyiBZkiCpBx36Z+hrDs3DOzLMIWbYWA6ULdvrIMMJlTzGUY0hbrw=
=lxEE
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus