MalaRIA Malicious RIA Proxy
I got an email from Erlend Oftedal about a new tool he’s created called MalaRIA. The tool uses weak crossdomain.xml and clientaccesspolicy.xml (so both Flash and Silverlight) to allow a piece of code that resides on his server to use the client’s machine as a proxy to read information off of other websites that are protected in other ways. So think of it like an RIA version of BeEF.
You can read his blog post here or if you’re the visual type you can check out his movie here. We often talk about why poorly written crossdomain.xml files are dangerous, but I think this puts the last nail in that coffin. Yes, it’s dangerous. For real. Incidentally there is no reason you couldn’t deliver a MalaRIA payload over BeEF as well, if you wanted the best of both worlds. Nice job by Erlend!
Update: code available here.
April 7th, 2010 at 9:32 am
When transparent proxies are used between the client and the server, no socket/crossdomain.xml file rules are required to accomplish this.
http://www.thesecuritypractice.com/the_security_practice/2010/03/abusing-transparent-proxies-with-flash-presentation-available-paper-update.html
April 7th, 2010 at 10:02 am
Very cool, What about firefox’s new Cross-Domain XmlHttpRequest?
April 9th, 2010 at 7:40 am
Awesome work by Erlend.
@Mike
Unlike Crossdomain.xml which usually provides domain/site-level access, the CD XmlHttpRequest has more fine grained access-control. Only the pages on the target sever having the ‘Access-Control-Allow-Origin: *’ header are accessible.
HTML5’s CD feature is more secure than Flash/Silverlight’s.
Having said that, there is a tool that am working on called the ‘Shell of the Future’ where the focus is purely on on CD Ajax requests. It is a similar to malaRIA but am approaching it from the opposite direction
April 12th, 2010 at 12:42 pm
http://www.gdssecurity.com/l/b/2010/03/17/penetrating-intranets-through-adobe-flex-applications/
……..