Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Exploiting XXE vulnerabilities in AMF libraries

From: Nicolas Grégoire <nicolas.gregoire () agarri fr>
Date: Mon, 11 Jan 2016 14:08:14 +0100
Hello,

AMF (aka "Action Message Format") is a binary format used by Flash
applications communicating with server-side components. A few data types
supported by AMF deal with XML content (for example the "XML Document"
type in AMF0).

In 2015, several AMF libraries (including BlazeDS and PyAMF) were
identified as vulnerable to XXE (aka "XML External Entity") and SSRF
(aka "Server Side Forgery") attacks. I wrote a blog-post detailing:
- server-side exploitation of the PyAMF vulnerability
- server-side exploitation of the BlazeDS vulnerability
- client-side exploitation of the BlazeDS vulnerability

The article also includes a basic AMF client (in Python) used to exploit
these vulnerabilities (or interact with AMF gateways at large).

Link:
http://www.agarri.fr/kom/archives/2015/12/17/amf_parsing_and_xxe/index.html

Cheers,
Nicolas Grégoire

Attachment: signature.asc
Description: This is a digitally signed message part


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: