Flash Boundless Tunes - Universal SOP Bypass Through ActionSctipt's Sound Object

EDB-ID:

37851


Platform:

Multiple

Published:

2015-08-19

Source: https://code.google.com/p/google-security-research/issues/detail?id=354&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

[90-day deadline tracking for https://code.google.com/p/chromium/issues/detail?id=481639]

---
An instance of ActionScript's Sound class allows for loading and extracting for further processing any kind of external data, not only sound files. Same-origin policy doesn't apply here. Each input byte of raw data, loaded previously from given URL, is encoded by an unspecified function to the same 8 successive sample blocks of output. The sample block consists of 8 bytes (first 4 bytes for left channel and next 4 bytes for right channel). Only 2 bytes from 8 sound blocks (64 bytes) are crucial, the rest 52 bytes are useless. Each byte of input from range 0-255 has corresponding constant unsigned integer value (a result of encoding), so for decoding purposes you can use simply lookup table (cf. source code from BoundlessTunes.as).

1. Put attached file BoundlessTunes.swf on the HTTP server.
2. Open http://<SERVER_HOSTNAME>/BoundlessTunes.swf?url=<URL> where <URL> is an URL address (e.g. leading to cross-origin resource). A received response will be displayed in alert window.
---

Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/37851.zip