Design flaw in AS3 socket handling allows port probing
Update October 15, 2008: The release of Flash Player Version 10 fixes the problem.
Due to a design flaw in ActionScript 3 socket handling, compiled Flash movies are able to scan for open TCP ports on any host reachable from the host running the SWF, bypassing the Flash Player Security Sandbox Model and without the need to rebind DNS.
In AS3 Adobe introduced a new socket-related event called SecurityErrorEvent. This event is always thrown when a Flash Player tries to connect to a socket that it is not allowed to connect to.
The Problem with the SecurityErrorEvent is that it's thrown immediately when a Flash Player tries to connect to a closed TCP port. If a service is listening on that port the Flash Player writes the string "<policy-file-request/>" and waits for response from the service. Nearly no TCP-service will respond to this request.
We can assume the following: When trying to connect to a socket that the SWF is not allowed to and it doesn't get a SecurityErrorEvent within 2 seconds the port is most likely open.
A new Flash player instance is used for every probed port because the Flash Player sends only one policy-file request per player per host per port.
Doesn't work as expected on:
- Windows XP SP2: Internet Explorer 6 / Flash Player 126.96.36.199
- Windows XP SP2: Firefox 188.8.131.52 / Flash Player 184.108.40.206
- Windows XP SP2: IE 7.0.5730.11 Flash Player 220.127.116.11
- Ubuntu Edgy: Firefox 18.104.22.168 / Flash Player 22.214.171.124
- Mac OSX 10.4.10: Safari 2.0.4 / Flash Player 126.96.36.199
- Mac OSX 10.4.10: Safari 3.0.2 / Flash Player 188.8.131.52
- Mac OSX 10.4.10: Firefox 184.108.40.206 / Flash Player 220.127.116.11
- Mac OSX 10.4.10: Camino 1.5.2 / Flash Player 18.104.22.168
- Mac OSX 10.5.1: Safari 3.0.4 / Flash Player 22.214.171.124
- Mac OSX 10.5.1: Firefox 126.96.36.199 / Flash Player 188.8.131.52
- Mac OSX 10.5.1: Camino 1.5.3 / Flash Player 184.108.40.206
- Solaris 10 i86: Firefox 220.127.116.11 / Flash Player 18.104.22.168
- Mac OSX 10.4.10: Opera 9.22 / Flash Player 22.214.171.124
- Browsers with player version 10
The Scanner does not work on services that close the TCP-Connection immediately after they receive Bytes that they don`t "understand". The port is reported as closed because the SecurityErrorEvent is thrown when the TCP-Connection is closed.
The Scanner does not always work as expected when scanning hosts located in the internet (e.g. google.com). This maybe happens due to stateful inspection firewalls that close the connections or long TCP-response times.
If a host is not present, all ports are marked open.
- 2007/07/23: Problem discovery
- 2007/07/24: PoC available
- 2007/07/25: Vendor notification
- 2007/08/01: Vendor acknowledgement
- 2007/08/09: Public demonstration at CCCamp
- 2007/12/18: Adobe released Knowledge Base Article (see "Additional Notes" for more details)
- 2008/10/15: Public release of Flash Player Version 10 which fixes the problem
Flash-Player Side (Adobe)
- TOTALLY REMOVE the SecurityErrorEvent (it`s useless, it`s just harder to find errors with socketservers without the event)
- Remove the SecurityErrorEvent in the Release-Players and keep it in the debug players
- Make the SecurityErrorEvent behave EXACTLY the same for opened an closed ports
- Disable Flash
- Only allow Flash from trusted sites
- Upgrade Player to Version 10
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-4324 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
Adobe released an article at the knowledge base regarding that issue: Socket connection timing can reveal information about network configuration (Flash Player).
Live PoC scanner
Main.as (compile using Adobes Flex2 SDK)