Adobe Flash Player prior to 13.0.0.231 and 14.x prior to 14.0.0.145 on Windows and OS X and prior to 11.2.202.394 on Linux, Adobe AIR prior to 14.0.0.137 on Android, Adobe AIR SDK prior to 14.0.0.137, and Adobe AIR SDK & Compiler prior to 14.0.0.137 do not properly restrict the SWF file format, which allows remote malicious users to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API.
| Vulnerable Product | Search on Vulmon | Subscribe to Product |
|---|---|---|
adobe flash_player 11.2.202.223 |
||
adobe flash_player 11.2.202.228 |
||
adobe flash_player 11.2.202.233 |
||
adobe flash_player 11.2.202.235 |
||
adobe flash_player 11.2.202.236 |
||
adobe flash_player 11.2.202.238 |
||
adobe flash_player 11.2.202.243 |
||
adobe flash_player 11.2.202.251 |
||
adobe flash_player 11.2.202.258 |
||
adobe flash_player 11.2.202.261 |
||
adobe flash_player 11.2.202.262 |
||
adobe flash_player 11.2.202.270 |
||
adobe flash_player 11.2.202.273 |
||
adobe flash_player 11.2.202.275 |
||
adobe flash_player 11.2.202.280 |
||
adobe flash_player 11.2.202.285 |
||
adobe flash_player 11.2.202.291 |
||
adobe flash_player 11.2.202.297 |
||
adobe flash_player 11.2.202.310 |
||
adobe flash_player 11.2.202.332 |
||
adobe flash_player 11.2.202.335 |
||
adobe flash_player 11.2.202.336 |
||
adobe flash_player 11.2.202.341 |
||
adobe flash_player 11.2.202.346 |
||
adobe flash_player 11.2.202.350 |
||
adobe flash_player 11.2.202.356 |
||
adobe flash_player 11.2.202.359 |
||
adobe flash_player |
||
adobe adobe air 13.0.0.83 |
||
adobe adobe air 13.0.0.111 |
||
adobe adobe air |
||
adobe adobe air sdk 13.0.0.83 |
||
adobe adobe air sdk 13.0.0.111 |
||
adobe adobe air sdk |
||
adobe flash_player 13.0.0.182 |
||
adobe flash_player 13.0.0.201 |
||
adobe flash_player 13.0.0.206 |
||
adobe flash_player 13.0.0.214 |
||
adobe flash_player 14.0.0.125 |
A website that serves a JSONP endpoint that accepts a custom alphanumeric callback of 1200 chars can be abused to serve an encoded swf payload that steals the contents of a same-domain URL. Flash < 14.0.0.145 is required. This module spins up a web server that, upon navigation from a user, attempts to abuse the specified JSONP endpoint URLs by stealing the response from GET requests to STEAL_URLS.
Vulmon
msf > use auxiliary/gather/flash_rosetta_jsonp_url_disclosure
msf auxiliary(flash_rosetta_jsonp_url_disclosure) > show actions
...actions...
msf auxiliary(flash_rosetta_jsonp_url_disclosure) > set ACTION <action-name>
msf auxiliary(flash_rosetta_jsonp_url_disclosure) > show options
...show and set options...
msf auxiliary(flash_rosetta_jsonp_url_disclosure) > runA tool for manipulating SWF files, leveraging zlib to craft alphanumeric-only valid SWF files in order to allow CSRF with SOP bypass thanks to JSONP abuse.
Rosetta Flash (CVE-2014-4671) Adobe Flash Player before 1300231 and 14x before 1400145 on Windows and OS X and before 112202394 on Linux, Adobe AIR before 1400137 on Android, Adobe AIR SDK before 1400137, and Adobe AIR SDK & Compiler before 1400137 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site reques