Failed to detect Flashvars and sinks in ZeroClipboard

[tifkin-]

I got inconsistent results scanning this swf. RIght now it seems to only detect FlashVars but no sinks. Initially it wasn't detecting anything.

Link to swf https://docs.google.com/file/d/0B-4ZVWytXXbCbVJfcmZZaEFtbVU

Vulnerability overview: https://github.com/zeroclipboard/zeroclipboard/issues/14

[flabbergastedbd]

Hi @tifkin- , few things to keep you in loop

• Thanks for reporting. Somehow the live version of Flashbang couldn't run it, I am trying to find out why
• The flashvars were successfully detected in a local flashbang instance
• I decompiled the swf and found that the flashVars width and height are used in some AS function which raises a NaN error, because when flashbang fuzzes the flashVars it does it using random strings (which might not be valid numbers)

We will stick to this thread for discussion & we will try to resolve it soon

Solution which I have in my mind is to fuzz using various types of data, but this will be tricky. Any thoughts?

[tifkin-]

Yeah, fuzzing multiple types of input sounds like the easiest way to go.

Another idea (just brainstorming here) is to create a list of type-coercion sinks and then if FlashBang detects that a parameter is passing through a type-coercion sink, it can change the fuzzer to conform to the expected type. For example, in ZeroClipboard the with and height parameters both pass through Math.floor(the type-coercion sink), therefore they must be numbers.