MSN.COM Affected By Multiple Flash Cross-Site Scripting Vulnerabilities
MSN.COM Affected By Multiple Flash Cross-Site Scripting Vulnerabilities!
Basically a Flash Cross-Site Scripting Vulnerability isn't so different from the other XSS Attacks and infect they have the same High Impact like the others! but the unique difference is that it works via Flash Object Files (.SWF).
Christian Galeone a youngest cyber security researcher has been found vulnerability in Microsoft domain. He describe as follows:
Into my Bug Hunting Carrier i had the opportunity to find Several High Issues, one of them is the Flash Cross Site Scripting Vulnerability!.
So, here is how it works!:
For these reasons, i have Recently found that the domain " ads1.msn.com " from Microsoft Inc. had Several Vulnerable Flash Objects for this type of Attack!
**Affected URL(s) Link:**
http://ads1.msn.com/ads/7188/0000007188_000000000000000633582.swf
http://ads1.msn.com/ads/76434/0000076434_000000000000000600751.swf
http://ads1.msn.com/ads/83264/0000083264_000000000000000674697.swf
http://ads1.msn.com/ads/60380/0000060380_000000000000000471735.swf
http://ads1.msn.com/ads/73102/0000073102_000000000000000411337.swf
http://ads1.msn.com/ads/68526/0000068526_000000000000000626606.swf
http://ads1.msn.com/ads/76434/0000076434_000000000000000600754.swf
http://ads1.msn.com/ads/53428/0000053428_000000000000000567342.swf
http://ads1.msn.com/ads/9911/0000009911_000000000000000610871.swf
http://ads1.msn.com/ads/65522/0000065522_000000000000000526160.swf
I have downloaded the SWF Object(s) and analyzed their Internal Code with SWFScan (from HP), here you can see the code:
As i saw, the ?ClickTag= Parameter was Vulnerable (after have tested it manually) and so i was able to Inject the PoC Payload Script into it, as you can see below,
Javascript:prompt(document.domain)//
The document.domain indicate where the Script Execution will come from, so the PoC Link will look as below:
http://ads1.msn.com/ads/7188/0000007188_000000000000000633582.swf?clickTAG=Javascript:prompt(document.domain)//
Let's see the main SWF Screen
This is our Result - (Click into the Banner)!
Where about:blank it indicates the Origin of the Script, in our Case the 0000007188_000000000000000633582.swf Object!.
I've then reported the issue to Microsoft Security Team and they decided to Credit me into their Acknowledgement Page for the month of January 2015!
Let's say is an awesome Gift ;-)
Marry Christmas and Happy New Year to Everybody!!
More Details:
http://www.acunetix.com/blog/articles/elaborate-ways-exploit-xss-flash-parameter-injection/
About the Author :
Christian Galeone is a Cyber Security Researcher from Italy, he's currently studying to ITCL Marco Polo ( Vocational Technical Institute | Vo-Tech ) attending the IT Programming Class.
He has been Acknowledged by the TOP 5 Companies including Yahoo!, Microsoft, AT&T, Sony etc.
He is currently working with HOC as author of Cyber Security & Critical Tools Research Articles.