Cenzic 232 Patent
Paid Advertising
web application security lab

MalaRIA Malicious RIA Proxy

I got an email from Erlend Oftedal about a new tool he’s created called MalaRIA. The tool uses weak crossdomain.xml and clientaccesspolicy.xml (so both Flash and Silverlight) to allow a piece of code that resides on his server to use the client’s machine as a proxy to read information off of other websites that are protected in other ways. So think of it like an RIA version of BeEF.

You can read his blog post here or if you’re the visual type you can check out his movie here. We often talk about why poorly written crossdomain.xml files are dangerous, but I think this puts the last nail in that coffin. Yes, it’s dangerous. For real. Incidentally there is no reason you couldn’t deliver a MalaRIA payload over BeEF as well, if you wanted the best of both worlds. Nice job by Erlend!

Update: code available here.

4 Responses to “MalaRIA Malicious RIA Proxy”

  1. Robert Says:

    When transparent proxies are used between the client and the server, no socket/crossdomain.xml file rules are required to accomplish this.

    http://www.thesecuritypractice.com/the_security_practice/2010/03/abusing-transparent-proxies-with-flash-presentation-available-paper-update.html

  2. Mike Says:

    Very cool, What about firefox’s new Cross-Domain XmlHttpRequest?

  3. lava Says:

    Awesome work by Erlend.

    @Mike
    Unlike Crossdomain.xml which usually provides domain/site-level access, the CD XmlHttpRequest has more fine grained access-control. Only the pages on the target sever having the ‘Access-Control-Allow-Origin: *’ header are accessible.
    HTML5’s CD feature is more secure than Flash/Silverlight’s.
    Having said that, there is a tool that am working on called the ‘Shell of the Future’ where the focus is purely on on CD Ajax requests. It is a similar to malaRIA but am approaching it from the opposite direction

  4. Adam Says:

    http://www.gdssecurity.com/l/b/2010/03/17/penetrating-intranets-through-adobe-flex-applications/

    ……..