net found a nice stored security policy file attack using
GIF file comments. He created the single pixel GIF image shown here, which has an open
Flash security policy in a GIF comment. As of Flash Player 9.0 r47, this is still accepted by
loadPolicy():
00000000 47 49 46 38 39 61 01 01-01 01 e7 e9 20 3c 63 72 GIF89a.......
00000010 6f 73 73 2d 64 6f 6d 61-69 6e 2d 70 6f 6c 69 63 oss-domain-polic
00000020 79 3e 0a 20 20 3c 61 6c-6c 6f 77 2d 61 63 63 65 y>...00000030 73 73 2d 66 72 6f 6d 20-64 6f 6d 61 69 6e 3d 22 ss-from domain="
00000040 2a 22 2f 3e 20 0a 20 20-3c 2f 63 72 6f 73 73 2d *"/>....00000050 64 6f 6d 61 69 6e 2d 70-6f 6c 69 63 79 3e 47 49 domain-policy>..
You could place an open security policy within the data (not just comments) of any
valid image, audio, or other data file. This is easier to do so with uncompressed file
formats, such as BMP image files. As of Flash Player v9.0 r47, the only limitations are that
loadPolicy() requires each byte before the ending tag to be
as follows:
??? Be non-zero
??? Have no unclosed XML tags (no stray <, 0x3c)
??? Be 7-bit ASCII (bytes 0x01 to 0x7F)
FLASH HACKING TOOLS
Flash programming will come quickly to JavaScript developers as Flash??™s ActionScript
language and JavaScript share similar roots.
Pages:
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398