Greetings to all from Porta Neorion,
Today, I would like to tell you how I was able to detect vulnerability through a .swf file that I noticed during security tests.
1. I was informed by our project manager that “private.com” tests will be carried out.
2. After receiving the necessary information, I verified the scope form and rolled up my sleeves for the security test.
3. I started the recon stages in order to get to know the application in detail.
4. During the exploration stages, I discovered the “test” path and started to examine the pages in this directory with the view-source feature and noticed a .swf file named “CU3ER.swf”. So what does this mean for us?
As I mentioned in one of my previous articles, flash files are sometimes specially created by the application developer, which may lead us to find code blocks that may contain sensitive information about the developer and the application, or vice versa, a popular flash file may be developed and marketed by certain developers, and then application developers While making various changes to the files for use in their own applications, they may forget to remove them later, leaving sensitive data between the code blocks.
So what is “CU3ER”?
CU3ER, an image slider initially conceived to create 3D transitions between slides, turned out to be a convenient and multifunction solution that can be applied in a range of website building areas, from content slider to feature slider and image & banner rotator.
5. I decompiled the “CU3ER.swf” file that I had detected and started planning to examine the code blocks and other file contents. So what is the purpose here?
Our goal here is to access the source codes of the relevant flash file and detect sensitive information disclosure through these codes.
In addition, CU3ER.swf is a well-known flash file, which means that even if we decompile it, it will probably be very difficult for us to find sensitive data, but I thought that the application developer may have made various changes on this file or added notes, so I started the decompile process.
6. During the decompile process, I started to read the codes by viewing the “Main” file under the “scripts” directory. I started to examine the p-code side to better display the string values through the codes and I was able to detect a comment line in the middle of the lines of code with a username that might belong to the application developer.
7. At the end of the day, I tried to use this username on the login page of the relevant application interface, and by applying the user enum technique, I was able to detect that there is a user name registered in the system, and then I created a password list and performed a brute-force attack for the relevant username and the password information was retrieved. “123456789!” I found that it is a simple value such as (I was lucky because there was no rate limiting rule :))
8. I prepared the necessary explanations and included this situation in my report together with the evidence.
9. In addition, I learned by researching that various vulnerabilities were detected through this flash file, if you wish, you can read it from the address below. — https://seclists.org/fulldisclosure/2014/Apr/251
By carefully examining the pages in the directories we have identified during the discovery stages, we can detect the existence of various file types and detect various sensitive information through these files.