Real world exploitation of a misconfigured crossdomain.xml – Bing.com

In my previous two posts, I explain the overly permissive crossdomain.xml vulnerability, show you how to create malicious SWF files from scratch, and show you how to use the malicious SWFs to exploit the vulnerability.

As we all know, sometimes the best way to wrap your head around a vulnerability is to see it being exploited.  Rather than continuing to talk about the vulnerability in theoretical terms, I can now start to share some specific examples.

Note: In the proof of concept, I show the attack from the perspective of the victim. Unlike a real exploitation, the “victim” is going through Burp to illustrate what is going on behind the scenes.

Step 3: The victims browser downloads and loads the SWF

As I mentioned in my previous post, this php file takes the entire data portion of the incoming HTTP message and writes it to a file in /tmp. You can get a lot fancier with this, such as creating a separate file per victim, or by parsing the file within php and only writing the relevant information to disk, but this was sufficient for the POC that I sent to Microsoft.

Here is the ActionScript source (BingExternal.as), that once compiled, becomes BingExternal.SWF:

If you look closely at the very first picture in the POC, you will notice that victim was viewing https://ssl.bing.com/profile/history. You should also notice that the exploit SWF requests the sensitive data from https://www.bing.com/profile/history. This is where I got lucky. 

I *think* the developers made the following assumption: 

• When a user is authenticated, we send them to ssl.bing.com, and that crossdomain.xml does not exist, so all is good. 
• When a user is unauthenticated, we send them to www.bing.com. Even though we have a very permissive crossdomain.xml, only unauthenticated users will use this part of the site, so no sensitive information can be stolen via Flash. 

So really, I was only able to really exploit the overly permissive crossdomain.xml file and gain access to the sensitive information because the application sent the sensitive history information to authenticated users, even when they requested the data from www.bing.com/profile/history.  If Bing told authenticated users to use ssl.bing.com/profile/history or get lost, I would not have had a very exciting demo.

Questions? Concerns?  Leave me a note in the comments!

Related Work: 

• Exploiting misconfigured crossdomain.xml files
• Exploiting insecure crossdomain policies to bypass anti-CSRF tokens
• Real world exploitation of a misconfigured crossdomain.xml – Bing.com
• AirVision Controller v2.1.3 – Overly Permissive default crossdomain.xml
• BSides DC 2014 – SWF Seeking Lazy Admin for Cross-Domain Action

Print Share Comment Cite Upload Translate

APA

() » Real world exploitation of a misconfigured crossdomain.xml – Bing.com. Retrieved from https://www.truth.cx/2014/07/18/real-world-exploitation-of-a-misconfigured-crossdomain-xml-bing-com/.

MLA

" » Real world exploitation of a misconfigured crossdomain.xml – Bing.com." - , https://www.truth.cx/2014/07/18/real-world-exploitation-of-a-misconfigured-crossdomain-xml-bing-com/

HARVARD

» Real world exploitation of a misconfigured crossdomain.xml – Bing.com., viewed ,

VANCOUVER

- » Real world exploitation of a misconfigured crossdomain.xml – Bing.com. [Internet]. [Accessed ]. Available from: https://www.truth.cx/2014/07/18/real-world-exploitation-of-a-misconfigured-crossdomain-xml-bing-com/

CHICAGO

" » Real world exploitation of a misconfigured crossdomain.xml – Bing.com." - Accessed . https://www.truth.cx/2014/07/18/real-world-exploitation-of-a-misconfigured-crossdomain-xml-bing-com/

IEEE

" » Real world exploitation of a misconfigured crossdomain.xml – Bing.com." [Online]. Available: https://www.truth.cx/2014/07/18/real-world-exploitation-of-a-misconfigured-crossdomain-xml-bing-com/. [Accessed: ]

Select a language: Afrikaans Albanian Arabic Armenian Basque Bengali Bulgarian Catalan Cambodian Chinese (Mandarin) Croatian Czech Danish Dutch English Estonian Fiji Finnish French Georgian German Greek Gujarati Hebrew Hindi Hungarian Icelandic Indonesian Irish Italian Japanese Javanese Korean Latin Latvian Lithuanian Macedonian Malay Malayalam Maltese Maori Marathi Mongolian Nepali Norwegian Persian Polish Portuguese Punjabi Quechua Romanian Russian Samoan Serbian Slovak Slovenian Spanish Swahili Swedish Tamil Tatar Telugu Thai Tibetan Tonga Turkish Ukrainian Urdu Uzbek Vietnamese Welsh Xhosa In my <a href="http://sethsec.blogspot.com/2014/03/exploiting-misconfigured-crossdomainxml.html" >previous</a> <a href="http://sethsec.blogspot.com/2014/03/exploiting-insecure-crossdomain.html" >two</a> posts, I explain the overly permissive crossdomain.xml vulnerability, show you how to create malicious SWF files from scratch, and show you how to use the malicious SWFs to exploit the vulnerability. <br /><br />As we all know, sometimes the best way to wrap your head around a vulnerability is to see it being exploited.  Rather than continuing to talk about the vulnerability in theoretical terms, I can now start to share some specific examples.<br /><div><br /></div><div>Microsoft has closed out my MSRC case, so I can share how I was able to exploit the crossdomain.xml file at www.bing.com, and land on their <i><a href="http://technet.microsoft.com/en-us/security/cc308575#0414" >Security Researcher Acknowledgements for Microsoft Online Services</a></i> page (a first for me).<br /><br /><b><u>Misuse Case - Gaining access to a Bing.com user's saved search history</u></b></div><div><br /></div><div><span style="color: blue;">If the victim user is authenticated with any live.com linked account (msn, outlook, etc), and they visit a malicious site, the owner of the malicious site can retrieve the victim user’s entire search history, including the sites they visited by way of the search engine.  </span><i><span style="font-size: x-small;"> </span></i></div><div><br /><b><u>The vulnerable configuration (fixed now):</u></b></div><div class="separator" style="clear: both; text-align: center;"><span id="docs-internal-guid-18cb2e99-8a8e-6a84-30d0-5e7ab7afd6a0" style="margin-left: 1em; margin-right: 1em;"><img height="219" src="https://lh4.googleusercontent.com/ybEcADaHZMEIpfVlpd1BI2l81i1xIrzaMADMAC3cNNAboOUHXj8lwmjwjpB4JFAxXEvybg7wRDi9vKnps8qj1Di41nBGjnqSXBJHsNpyu0Ge6N-c89B_NHFwchqh0STU_sSQT63B8W0" style="-webkit-transform: rotate(0rad); border: currentColor;" width="533" /></span></div><div class="separator" style="clear: both; text-align: center;"><span style="margin-left: 1em; margin-right: 1em;"><br /></span></div><div class="separator" style="clear: both; text-align: left;"><span style="font-family: inherit; font-weight: bold; line-height: 1; text-decoration: underline; white-space: pre-wrap;">Proof of Concept</span></div><strong>Note:</strong> In the proof of concept, I show the attack from the perspective of the victim. <span style="color: blue;"> Unlike a real exploitation, the "victim" is going through Burp to illustrate what is going on behind the scenes.</span> <br /><div class="separator" style="clear: both; text-align: left;"><b id="docs-internal-guid-18cb2e99-8a90-4a62-e7fd-d6cbdcf09966" style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></b><span style="font-family: inherit; line-height: 1;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Prerequisite:</span><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">  The victim is currently authenticated with msn.com, live.com, bing.com, etc.  </span></span><span style="font-family: inherit;"><span style="line-height: 1; white-space: pre-wrap;">This is a screenshot of the </span></span><span style="line-height: 16px; white-space: pre-wrap;">victim</span><span style="font-family: inherit;"><span style="line-height: 1; white-space: pre-wrap;"> logged in and viewing the information that we (the attacker) are going </span></span><span style="line-height: 16px; white-space: pre-wrap;">to</span> steal<span style="font-family: inherit;"><span style="line-height: 1; white-space: pre-wrap;">.  </span></span><span style="line-height: 16px; white-space: pre-wrap;">The victim does not need to be on this particular page for the attack to work. </span></div><div style="line-height: 1;"></div><div class="separator" style="clear: both; line-height: 1; text-align: center;"><a href="http://1.bp.blogspot.com/-SE9zoOOIOyU/U2FlXkID48I/AAAAAAAAAN0/KdQYH9YxNEY/s1600/2014-04-30+17_01_12-Bing+Search+History.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="507" src="https://1.bp.blogspot.com/-SE9zoOOIOyU/U2FlXkID48I/AAAAAAAAAN0/KdQYH9YxNEY/s1600/2014-04-30+17_01_12-Bing+Search+History.png" width="640" /></a></div><div style="line-height: 1;"><span style="font-family: inherit;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div><br /><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: inherit;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Step 1:</span><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> Attacker hosts a malicious SWF on his/her server, and socially engineers a victim to arrive at the attacker’s site. </span></span><br /><span style="font-family: inherit;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div><div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: inherit; font-style: normal; font-variant: normal; font-weight: bold; line-height: 1; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Step 2:</span><span style="background-color: transparent; vertical-align: baseline;"><span style="font-family: inherit;"><span style="line-height: 1; white-space: pre-wrap;"> The victim, while logged into msn.com, live.com, bing.com, etc, loads the </span></span><span style="line-height: 16px; white-space: pre-wrap;">malicious html page</span><span style="font-family: inherit;"><span style="line-height: 1; white-space: pre-wrap;">:</span></span></span></div><div class="separator" style="clear: both; text-align: left;"><b style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></b></div><div class="separator" style="clear: both; text-align: left;"><span id="docs-internal-guid-18cb2e99-8ab7-98ab-852e-69a0e08ac2c2" style="margin-left: 1em; margin-right: 1em;"><img height="110" src="https://lh3.googleusercontent.com/Q9552FSSfatESjWXK9iGNgDE9einj9siOZ1QgxE2xwOUzRPD2jSRBebCmpaC55e9AE66EiaGRPDcahIZPEjv97_TtD0fwS2VJOBdPHwO0iIOziM8H1pq8PJpMDRt02FT_Q" style="-webkit-transform: rotate(0rad); border: currentColor;" width="597" /></span></div><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="font-family: inherit;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /></div><div class="separator" style="clear: both; text-align: left;"><b style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></b></div><div class="separator" style="clear: both; text-align: left;">As you can see, the POC html page just instructs the victim's browser to execute the SWF file.  </div><div class="separator" style="clear: both; text-align: center;"><span style="font-family: inherit; margin-left: 1em; margin-right: 1em;"><img height="312" src="https://lh4.googleusercontent.com/GrciJiySH4NGz9pW6tA1RMYvzzqx0gritX8S11Lz35vqFpa3z8bJloJz6PdqAZbb3PGms9Wgn8F1GFshdCHlGMUuComnhMPXw2miUDX_7il5Kr9cszWXLz8u3ZlVARicMkRfQAhcrN0" style="-webkit-transform: rotate(0rad); border: currentColor;" width="529" /><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></span></div><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"></div><div class="separator" style="clear: both; text-align: left;"><b style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></b></div><span style="font-family: inherit; font-weight: bold; line-height: 1; vertical-align: baseline; white-space: pre-wrap;">Step 3:</span><span style="font-family: inherit; line-height: 1; vertical-align: baseline; white-space: pre-wrap;"> The victims browser downloads and loads the SWF</span><br /><div class="separator" style="clear: both; text-align: center;"><span style="font-family: inherit; margin-left: 1em; margin-right: 1em;"><img height="407" src="https://lh5.googleusercontent.com/cwcfBvn51xb9S26daLLB0Fz18uE_Ol761sERzOxhBXQA2enIMfyfYO4nUlZTxJLXQfWBzUO4FJUiSPk0pDg5DfyXXR-S78m1eYwTufcnpw5dW_4GV6gYPRLVq-QdriGarGN22kgJ3aw" style="-webkit-transform: rotate(0rad); border: currentColor;" width="542" /><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></span></div><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"></div><div class="separator" style="clear: both; text-align: left;"><b style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></b></div><div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; font-family: inherit; font-style: normal; font-variant: normal; font-weight: bold; line-height: 1; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Step 4:</span><span style="background-color: transparent; font-family: inherit; font-style: normal; font-variant: normal; font-weight: normal; line-height: 1; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> The SWF, now loaded in the browser, makes a request to </span><span style="background-color: transparent; font-family: inherit; font-style: normal; font-variant: normal; font-weight: normal; line-height: 1; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://www.bing.com/crossdomain.xml" style="text-decoration: none;">https://www.bing.com/crossdomain.xml</a></span><span style="background-color: transparent; vertical-align: baseline;"><span style="font-family: inherit;"><span style="line-height: 1; white-space: pre-wrap;">. This is where the vulnerability lies. If the crossdomain.xml file at www.bing.com is set correctly, the Adobe </span></span><span style="line-height: 16px; white-space: pre-wrap;">Flash</span><span style="font-family: inherit;"><span style="line-height: 1; white-space: pre-wrap;"> player won't let the SWF proceed. When the crossdomain.xml file is overly permissive, it instructs the SWF file that it is authorized to interact with the domain (www.bing.com). </span></span></span></div><div class="separator" style="clear: both; text-align: center;"><span style="font-family: inherit; margin-left: 1em; margin-right: 1em;"><img height="256" src="https://lh3.googleusercontent.com/IBWJFz2_fDh2-dicjN7qOMXNyXgQv24PWirrl9YpWRKilV9_WmXy5YilP74-6yI2MMcHeZpwtDv-WsO0fT8Z3wghD0sHJLclXUsgf-CqNRNXx1g3vDi4ShL591MFc9eIImgDS4-htqE" style="-webkit-transform: rotate(0rad); border: currentColor;" width="550" /><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></span></div><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"></div><div class="separator" style="clear: both; text-align: left;"><b style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></b></div><div class="separator" style="clear: both; text-align: left;"><span style="font-family: inherit; font-weight: bold; line-height: 1; vertical-align: baseline; white-space: pre-wrap;">Step 5:</span><span style="font-family: inherit; line-height: 1; vertical-align: baseline; white-space: pre-wrap;"> The SWF makes a request on behalf of the victim and retrieves the user’s search history from </span><a href="https://www.bing.com/profile/history" style="font-family: inherit; line-height: 1; text-decoration: none;"><span style="text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://www.bing.com/profile/history</span></a><span style="font-family: inherit; line-height: 1; vertical-align: baseline; white-space: pre-wrap;"> and </span><a href="https://www.bing.com/profile/history/more" style="font-family: inherit; line-height: 1; text-decoration: none;"><span style="text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://www.bing.com/profile/history/more</span></a><span style="font-family: inherit; line-height: 1; vertical-align: baseline; white-space: pre-wrap;">:</span></div><div class="separator" style="clear: both; text-align: left;"><b style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></b></div><div class="separator" style="clear: both; text-align: center;"><span style="font-family: inherit; margin-left: 1em; margin-right: 1em;"><img height="201" src="https://lh5.googleusercontent.com/dA2PbQdijjEtGFqKq6T0uIxp3D9qnU244RGm0NZnrGy1uYrR1sYpgrrXTgu-SyqB4LHWIlAGHDp0mndRmPT5dThWjoX_2kqVbfECKYMb5AaXRk637adGxsyHsQcfYE30x6mYD00saIw" style="-webkit-transform: rotate(0rad); border: currentColor;" width="624" /><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></span></div><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;"></div><div class="separator" style="clear: both; text-align: left;"><b style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></b></div><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: inherit;"><span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Step 6: </span></span>Because of the overly permissive crossdomain.xml file, the SWF is able to bypass Same-Origin-Policy and record the server response to the previous request. The SWF sends the data retrieved from <a href="https://www.bing.com/profile/history">https://www.bing.com/profile/history</a> to the attackers data drop page:</div><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="font-family: inherit;"><img height="377" src="https://lh5.googleusercontent.com/aTsmPvjb_IU_UBx4O9aORkUXY0XNn6edHNk6lwG0SqX9Lsa2JS29nWUX5dQIqUqGNPB2e_ux5-pXEvcYxVopGyc11SUa9Mj0wv5QmcsDJYgrAZL3cF-skvS_Xdgp4wbn3H-NWaCaaWY" style="-webkit-transform: rotate(0rad); border: currentColor;" width="604" /><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></span></div><div class="separator" style="clear: both; text-align: left;"><b style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></b></div><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: inherit;">At this point, the exploitation is over from the perspective of the victim. Let's switch to the attacker's perspective, and look at the stolen data. </span></span></div><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: inherit;"><br /></span></span><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Here is the data collector script on the attacker's server:</span></div><div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;"><div class="separator" style="clear: both; text-align: center;"><a href="https://lh4.googleusercontent.com/2AgQLUYxuIelkKOZMKXjb2f9IgbVSj875JUvuEQ9oK-44BY_Jfe3jwS9DTJ2SDuqsTMeDbyuJPDuSSJCc7Dhl5i3j2UvXKcnYezbpNRdgkqZacqdiecQ02NUkaezAU4ZICjCG2kHOhE" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="175" src="https://lh4.googleusercontent.com/2AgQLUYxuIelkKOZMKXjb2f9IgbVSj875JUvuEQ9oK-44BY_Jfe3jwS9DTJ2SDuqsTMeDbyuJPDuSSJCc7Dhl5i3j2UvXKcnYezbpNRdgkqZacqdiecQ02NUkaezAU4ZICjCG2kHOhE" style="-webkit-transform: rotate(0rad); border: currentColor;" width="541" /></a></div><span style="line-height: 1; white-space: pre-wrap;">As I mentioned in my previous po</span>st, this php file takes the entire data portion of the incoming HTTP message and writes it to a file in /tmp. You can get a lot fancier with this, such as creating a separate file per victim, or by parsing the file within php and only writing the relevant information to disk, but this was sufficient for the POC that I sent to Microsoft.</div><div class="separator" style="clear: both; text-align: center;"><span style="font-family: inherit; margin-left: 1em; margin-right: 1em;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /></div><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;"></div><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: inherit;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: inherit;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Step 7:</span><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> The attacker can now parse the stolen data. The command just parses out the search queries from the source code of the stolen page. What is shown is basically the last 10 or so things I searched for on my Microsoft Surface.</span></span></div><div class="separator" style="clear: both; text-align: left;"><b style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></b></div><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "courier new" , "courier" , monospace;">root@kali:/var/www# <span style="color: red;">cat /tmp/bing.txt | xmllint --format - | grep "sh_item_qu_query"</span></span></span></div><div class="separator" style="clear: both; text-align: left;"><b style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></b></div><div class="separator" style="clear: both; text-align: center;"><span style="font-family: inherit; margin-left: 1em; margin-right: 1em;"><img height="168" src="https://lh3.googleusercontent.com/6RbWfU6BUTwS4uOmhouNjc29v5-6CqDIR9G4c6DBTY5I_OqpBzCkmyuv_qi_q43yinIfOZINvJxIye866D9z-ey6q1Dk5MaFZAn0NhzEDE_lDF2HVdV9O4O0LASbR5Ys9ZotqaWO0E0" style="-webkit-transform: rotate(0rad); border: currentColor;" width="624" /><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></span></div><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;"></div><div class="separator" style="clear: both; text-align: left;"><b style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></b></div><div class="separator" style="clear: both; text-align: left;"><b style="font-weight: normal;"><span style="font-family: inherit;">This next command does the same thing, but it extracts the URL's that I visited as a result of my bing searches:</span></b></div><div class="separator" style="clear: both; text-align: left;"><b style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></b></div><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "courier new" , "courier" , monospace;">root@kali:/var/www# <span style="color: red;">cat /tmp/bing.txt | xmllint --format - | grep "sh_item_cl_url"</span></span></span></div><div class="separator" style="clear: both; text-align: left;"><b style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></b></div><div class="separator" style="clear: both; text-align: center;"><span style="font-family: inherit; margin-left: 1em; margin-right: 1em;"><img height="206" src="https://lh5.googleusercontent.com/X0K0ZkTfZfaILS35kvd6FDhxh3UbcY9TdnEeBatkfz_cmqM-uvBhTGQGxdoSkSd2kUs9IhClBaCS8AQuaogwy5LEuFnKScDvq9pAXgSABnULnf59os1ZlsiaLIGnpqyBqFINmWWPLUo" style="-webkit-transform: rotate(0rad); border: currentColor;" width="580" /><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></span></div><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;"></div><div class="separator" style="clear: both; text-align: left;"><b style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></b></div><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: inherit;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: inherit;"><span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This is where I stopped, but the </span></span><span style="font-family: inherit; line-height: 1; vertical-align: baseline; white-space: pre-wrap;">POC can be extended to include the users entire search history, by using the </span><a href="https://www.bing.com/profile/history/more" style="font-family: inherit; line-height: 1; text-decoration: none;"><span style="text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://www.bing.com/profile/history/more</span></a><span style="font-family: inherit; line-height: 1; vertical-align: baseline; white-space: pre-wrap;"> page. In the screenshot below, the t parameter is a timestamp that can be iterated. You can see that by modifying the timestamp, I was able to pull up things I searched for back in December 2012</span><span style="font-family: inherit; line-height: 1; white-space: pre-wrap;">:</span></div><div class="separator" style="clear: both; text-align: left;"><b style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></b></div><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="font-family: inherit;"><img height="289" src="https://lh6.googleusercontent.com/-JRKoTbMaT7F7jKmV4nmTXo2QikI8xhhhOBtclRdDzFXiNxBjdHdHN22S9zU-C0sTnJ0RuqRBPMxMWD_hpQSplV_5VnVWFjv291GuLRaRn4zcKDHKgOohtB8EFqpeF4LXFztJngf7sc" style="-webkit-transform: rotate(0.00rad); border: currentColor; transform: rotate(0rad);" width="499" /><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></span></div><div class="separator" style="clear: both; text-align: left;"><b style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></b></div><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="font-family: inherit;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /></div><div class="separator" style="clear: both; text-align: left;"><span style="color: red; line-height: 16px; white-space: pre-wrap;">The malicious SWF could have easily made multiple requests, walking back the timestamp each time, essentially downloading everything the victim has ever searched for on Bing.com.  </span></div><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: inherit;"> </span></span><br /><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;"><span style="line-height: 1;">Here is the ActionScript s</span><span style="font-family: inherit; line-height: 1; white-space: pre-wrap;">ource (BingExternal.as), that once compiled, becomes BingExternal.SWF:</span><br /><div class="separator" style="clear: both;"><br /></div><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="font-family: inherit;"><img height="595" src="https://lh6.googleusercontent.com/WglhVj3lqEBoaxv05r0KRZ6bv9r8eLT5FUdnL6hDWm7Bd-6QFXeSi0evQILaD6F4E0r8Vf3QZ0dMM6TYhf1RuvMveckVjsz-EZmq_6ZP-6u_qA-XJ6j74BwMXetL_j9e61DLX7kpyYA" style="-webkit-transform: rotate(0rad); border: currentColor;" width="559" /></span><br /><span style="font-family: inherit;"><br /></span></div></div><span style="color: black; vertical-align: baseline; white-space: pre-wrap;"></span><br /><div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;"><div style="line-height: normal;"><span style="color: black; font-family: inherit; line-height: 1; vertical-align: baseline; white-space: pre-wrap;">If you look closely at the very first picture in the POC, you will notice that victim was viewing https://ssl.bing.com/profile/history. You should also notice that the exploit SWF requests the sensitive data from https://www.bing.com/profile/history. This is where I got lucky.  </span></div><div style="line-height: normal;"></div><div style="line-height: normal;">I *think* the developers made the following assumption:  </div><div style="line-height: normal;"><ul><li>When a user is authenticated, we send them to ssl.bing.com, and that crossdomain.xml does not exist, so all is good.  </li><li>When a user is unauthenticated, we send them to <a href="http://www.bing.com/">www.bing.com</a>. Even though we have a very permissive crossdomain.xml, only unauthenticated users will use this part of the site, so no sensitive information can be stolen via Flash.  </li></ul></div>So really, I was only able to really exploit the overly permissive crossdomain.xml file and gain access to the sensitive information because the application sent the sensitive history information to authenticated users, even when they requested the data from <a href="http://www.bing.com/profile/history">www.bing.com/profile/history</a>.  If Bing told authenticated users to use ssl.bing.com/profile/history or get lost, I would not have had a very exciting demo. <br /><br />Questions? Concerns?  Leave me a note in the comments! <br /><h2>Related Work: </h2><div><ul><li><a href="http://sethsec.blogspot.com/2014/03/exploiting-misconfigured-crossdomainxml.html">Exploiting misconfigured crossdomain.xml files</a></li><li><a href="http://sethsec.blogspot.com/2014/03/exploiting-insecure-crossdomain.html">Exploiting insecure crossdomain policies to bypass anti-CSRF tokens</a></li><li><a href="http://sethsec.blogspot.com/2014/07/crossdomain-bing.html">Real world exploitation of a misconfigured crossdomain.xml - Bing.com</a></li><li><a href="http://sethsec.blogspot.com/2014/07/cve-2014-2227.html">AirVision Controller v2.1.3 - Overly Permissive default crossdomain.xml</a></li><li><a href="http://sethsec.blogspot.com/2014/10/bsidesdc-2014.html">BSides DC 2014 - SWF Seeking Lazy Admin for Cross-Domain Action</a></li></ul></div></div></div> First name:

Last name: