Recently, i was testing cisco for potential vulnerabilities, initially i took tested for SQLi, XSS, CSRF and other attacks, but was out of luck. Therefore, i decided to test it for swf file vulnerabilities. One of the common swf vulnerabilities i look for inside a website is for "ZeroClipboard Xss".
What Is ZeroClipboard?
The ZeroClipboard library provides an easy way to copy text to the clipboard using an invisible Adobe Flash movie, and a JavaScript interface. The "Zero" signifies that the library is invisible and the user interface is left entirely up to you.
I used google to search, if any of cisco's subdomain or cisco.com itself contain this file, luckily i found the path to bx.cisco.com that contained zeroclipboard.xss. So i began testing for XSS and bingo it worked.
Cisco Swf POC
http://bx.cisco.com/cbx-
public function ZeroClipboard()As you can look from the above code is that id parameter from Externalinterface.call is passed to the second parameter, without being properly sanitized. Therefore it results into an XSS.
{ .... var flashvars:Object = LoaderInfo(this.root.loaderInfo).parameters; id = flashvars.id; ....
ExternalInterface.call("ZeroClipboard.dispatch", id, "load", null);
Further Reading
If you are really interested in learning about zeroclipboard xss, i would recommend you read the following articles:
http://lcamtuf.blogspot.com/
https://github.com/jonrohan/
No comments:
Post a Comment