search

AN-Master / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Flash: Boundless Tunes - universal SOP bypass through ActionSctipt's Sound object #354

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
[90-day deadline tracking for 
https://code.google.com/p/chromium/issues/detail?id=481639]

---
An instance of ActionScript's Sound class allows for loading and extracting for 
further processing any kind of external data, not only sound files. Same-origin 
policy doesn't apply here. Each input byte of raw data, loaded previously from 
given URL, is encoded by an unspecified function to the same 8 successive 
sample blocks of output. The sample block consists of 8 bytes (first 4 bytes 
for left channel and next 4 bytes for right channel). Only 2 bytes from 8 sound 
blocks (64 bytes) are crucial, the rest 52 bytes are useless. Each byte of 
input from range 0-255 has corresponding constant unsigned integer value (a 
result of encoding), so for decoding purposes you can use simply lookup table 
(cf. source code from BoundlessTunes.as).

1. Put attached file BoundlessTunes.swf on the HTTP server.
2. Open http://<SERVER_HOSTNAME>/BoundlessTunes.swf?url=<URL> where <URL> is an 
URL address (e.g. leading to cross-origin resource). A received response will 
be displayed in alert window.

---

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by cev...@google.com on 30 Apr 2015 at 4:51

Attachments:

GoogleCodeExporter commented 8 years ago

Original comment by cev...@google.com on 1 May 2015 at 6:22

GoogleCodeExporter commented 8 years ago

Original comment by cev...@google.com on 5 Jul 2015 at 4:19

GoogleCodeExporter commented 8 years ago 
Fixed: https://helpx.adobe.com/security/products/flash-player/apsb15-16.html

Original comment by cev...@google.com on 9 Jul 2015 at 12:37

GoogleCodeExporter commented 8 years ago

Original comment by natashe...@google.com on 18 Aug 2015 at 7:15