Hi, I am Rafay Baloch, a security researcher, author and a public speaker.

Cisco ZeroClipboard Swf File XSS


The security of  the target website depends upon the number of vectors an attacker knows, The more vectors an attacker knows the more chances he would have for compromising your website. One of the reasons why i have managed to secure my places in most of the security hall of fames was that i did not tried a single attack vectors, i tested a the target for lots of different attack vectors, one of them was swf. swf files are commonly found on mots of the websites. Though there are lots of other vulnerabilities for swf files, however i would stick to the topic of this post and would leave other's for upcoming posts.
Recently, i was testing cisco for potential vulnerabilities, initially i took tested for SQLi, XSS, CSRF and other attacks, but was out of luck. Therefore, i decided to test it for swf file vulnerabilities. One of the common swf vulnerabilities i look for inside a website is for "ZeroClipboard Xss".

What Is ZeroClipboard?

The ZeroClipboard library provides an easy way to copy text to the clipboard using an invisible Adobe Flash movie, and a JavaScript interface. The "Zero" signifies that the library is invisible and the user interface is left entirely up to you.

I used google to search, if any of cisco's subdomain or cisco.com itself contain this file, luckily i found the path to bx.cisco.com that contained zeroclipboard.xss. So i began testing for XSS and bingo it worked.


Cisco Swf POC

http://bx.cisco.com/cbx-portal/js/zeroclipboard/ZeroClipboard.swf#?id=\"))}catch(e){alert(/XSSbyrafay/.source);}//&width=500&height=500


Vulnerable Code

public function ZeroClipboard()
{ .... var flashvars:Object = LoaderInfo(this.root.loaderInfo).parameters; id = flashvars.id; .... 
ExternalInterface.call("ZeroClipboard.dispatch", id, "load", null);
As you can look from the above code is that id parameter from Externalinterface.call is passed to the second parameter, without being properly sanitized. Therefore it results into an XSS.

Further Reading

If you are really interested in learning about zeroclipboard xss, i would recommend you read the following articles:

http://lcamtuf.blogspot.com/2011/03/other-reason-to-beware-of.html
https://github.com/jonrohan/ZeroClipboard/issues/14
© 2023 All Rights Reserved by RHA Info Sec. Top

Contact Form

Name

Email *

Message *

Powered by Blogger.