 All right, I'd like to get started. My name is John Rose. I work for TrustWave in Spider Labs, which is their division that does pen testing, code review, network pen testing, forensics, and things like that. So basically what this talk is about is a tool that I wrote for an assessment I was doing for Flex servers. So the tool is called DeBlaze, mainly because when I first wrote it, it was working on Blaze DS servers. And so I'll tell you guys a little bit about that and basically how it works. So I wrote a quick little demo app to show you guys how this stuff works. So it's just your standard Swift file. This application is supposed to represent a banking application. And you can log in and get your banking information and make funds transfers and log out. That's pretty much all it does at this point. It's not a whole lot. So what happens is with this application, you have the SWF file, which is running on the client side, and it's making a remoting calls to the server side, which is all Java, or it can be Python or a couple different backend. When this application communicates to the server, it goes through an HTTP post and in that body of that post is AMF, is the format, which is action message script. So it's a serialized version of that. I was doing an assessment of an application similar to this one, and I realized that it was very difficult to actually invoke those remoting methods with any of the tools that were out there. There basically wasn't anything that did it. So what I did is I leveraged a library called PYAMF, which basically is a Python library for doing AMF communication, and I wrote just a generic client that would work on any flex server. So it was really interesting as I started looking more and more into this and seeing what you could access on these servers, and it seemed like nobody really implemented a lot of access controls on the remoting methods. Either the developers felt like you couldn't find it or it was just difficult to call or something like that. So I'll give you a quick example of this tool I wrote. It's called DeBlaze. It's got a couple different methods for querying a flex server. Basically, this may be somewhat difficult to see. It's kind of bright up here, but I walked through the different options. So one of the first options is to brute force, different methods and services. The way that you communicate with a flex server is there's first the flex gateway, so that's in the URL. There'll be this gateway URI that you actually communicate with, and then you talk to a specific service. That service is gonna map to a class file and then you have the actual method that you're gonna call. So the three things you need are the gateway, the service, and then the method to actually invoke any of the functionality on a flex server. So what I did is I came up with a couple different ways when you were analyzing a flex server for security to figure out these things. So the first way is to just brute force them. You can figure out the gateway a couple different ways. Once you have the gateway, then you can brute force the service name and then the method name. Different types of flex servers respond differently to the request that you make. So you can actually, a lot of them are not case sensitive, so you can brute force method names and service names, and it doesn't matter, uppercase, lowercase, you'll still get the same response. And so blaze DS from what I've seen is case sensitive, but none of the other flex servers are. And then once you've figured out the service and the method, then you can figure out the parameters that those methods take. Now each method will give you an error message based on the parameters that you supply, saying you only supplied zero parameters, this method takes two parameters. So it's easy to automate this and figure out exactly what it takes, the server tells you. And then it'll also say you supplied an int, this service takes a string. So there's a lot of information that comes back when you're invoking these services. So to give you a quick example of how this works, I've got a couple of demos, hopefully you guys can see it and it's not too hard. Can you guys see that? Is that okay? I built a website that shows basically all these examples. I feel like it's pretty good walkthrough, so if you are ever doing an assessment of a flex application, you should be able to go through the walkthroughs and get enough information to use the tool. So hopefully that'll work for you. All right, so my first example here, basically calling de-blaze, which is the tool, supplying the URL to the gateway that's up here, and then also I'm supplying the dash one parameter that means brute force the service, and then also I'm supplying a test method. And I'm just grepping through the results, otherwise it'll just spit out what's there or what's not there. And so it just brute forces the different services based on whatever lists you have of service names. And so if you can see here, these two that came out, they're a little bit longer, it says this method test was not found on the service balance. So now I know that that service name balance is valid, but it doesn't have a method called test. So then next, once you figure it out that service, you can go back and then based on that service, you can brute force the method. And it's pretty much the same thing. And then if you can see this thing right here, we actually made a valid request to the balance service and the method was get balance, which we brute force as well, and so we know that's valid, it gives me an empty array collection. So that means the result doesn't have any information. So it means it's a valid request, you just didn't get any information back for it. So one of the things I wanted to do is once you've figured out you have a valid service, you have a valid method, you wanna go through and you wanna try different parameters to try to fuzz that and see what responses you can get. So in this example, I'm just going through and fuzzing these different parameters for that same method. And if you see some of these responses, it's gonna say, let's see, cannot convert type Java lang string to value, whatever the fuzz value is, it's all these different values to instance of int. So it's providing a lot of information. I've seen this on all the different implementations of Flex servers, whether it's Python or AMF PHP or BlazDS or the Lifecycle data services. So all of them provide a lot of information back. So here's an example of a valid call. Basically the parameter that I'm supplying here is the account number for get balance and it returns back my account balance, information from that banking app. One of the things that I noticed a lot was applications, they try to put some of the security controls in the client side, it's the same old problem, but they don't enforce it on the server side. So I've seen Flex apps where you can just reset users passwords like this, I mean, you're just arbitrarily grabbing accounts and things like that. So another thing you can do is I created just a little bash script. You can just loop through these different account balances, potential accounts, so you go through, like just brute force them. And so this is gonna return all this information. And it depends what your services and things like that. So another thing that I did besides manually calling these, one of the ways that I figured out how to determine whether there were valid services and methods and stuff like that is I use this SWF dump tool. And so what SWF dump is gonna do is it's going to take your SWF file and basically convert it back into a more human readable like byte code. And so what you can do is you can grab a SWF file, convert it back to that byte code and then grep through that for the remoting methods and other things that'll give you more information on the remoting stuff. So in this example, and I've seen this on every version of SWF that was built with Flex Builder. So it really depends on how you build it, but the ones that I've seen, I've all been like this. And basically what this does is I'm grepping through, I'm converting it back into the byte code, I'm grepping through for a specific service tag and which is embedded in a variable in the SWF which tells you where the gateway is and what the services are. So on here, you can look through this, it's actually an XML file, it comes back as and it gives you the information, right? So instead of having to actually parse through all that stuff, I've kind of filled out the tool so it actually automatically does that for you. Just kind of nice. So here's another example where I search for the remoting methods. So actually after you query and figure out all the gateways from the SWF, you can find the methods too. So here they are, there's our balance, trans and login, right? Now this isn't always the case depending on how the SWF is written. So you may have to search for different things but it definitely helps out in finding these things. So another thing I guess I should say is that if you are using this tool to grep through and find the methods in an SWF that might not be all the methods available on that flex server. So you still probably wanna brute force some things too because maybe there's different SWFs for like an admin or a normal user and all those methods and remoting stuff is exposed but you don't actually see it in the SWF. So the next way that you can do it is there's this fully automated mode that I created that basically is gonna download the SWF, grep through, pull out all the things for it, all the remoting methods, the gateways, the endpoints. It's gonna go through all the services and the methods. It's gonna figure out the proper number of parameters. Then it's going to do some basic fuzzing of those parameters and generate a report for you. I mean, this isn't gonna auto-own anything for you but it definitely gets you a lot closer because those methods, once you can access them, potentially privilege escalation, if it's admin related functionality, a lot of times there's information that leaks out, the SQL injection, all your standard web app stuff. So this is the report that it generates. And the first page here has just the SWF analysis. So this is running SWF dump, basically the things that I pull out. So this is your gateways, your services and your methods. Once you have that, it's basically all you really need to manually call all those things and start doing it yourself if you want. Then I also have the methods that came back with a valid or seemingly valid response. And so you can see here it's got the URL and that's your gateway. And then the service, which is login for this example and the method is check creds. This was all pulled out of that SWF. It takes two parameters, the ones we supplied during the fuzzing was just zero, zero. And then the result was invalid username and password. So there's the login. And I think that's the only one that comes up here. And then you look at the errors and you'll see that we found this transfer method, the transfer service with the make trans method and it takes four parameters. But none of these actually worked correctly. And so you see here we get the wrong data type, which we saw earlier when I ran it manually. And then if you keep looking down through all these logs, it gives you a lot of information. So like for this example it's got, it gives you the whole SQL query and other stuff about what, it's just a stack trace basically. And then also, I also show any of the empty results. So that's basically where you query a method with what appears to be the right parameters, but you don't get any response back. So for this example I have the balance and then the get balance method, but with one parameter of just zero and I get an empty array collection back. So I didn't get anything. So if you remember earlier, I threw in the proper numbers for the account number and I got the results back. So another way that you can figure out what the methods that are being called if you don't wanna decompile the Swift file or whatever is you can just use like Wireshark to grab the data. I don't think Wireshark has a AMF decoder yet, but you can still kind of pull it out and just see it in the actual body of that post. So it's not that hard. Also Charles Proxy will pull out some of that information although it doesn't pull out all of that information. It's kind of interesting when I was going through the different decompilers to figure out some of the information about what the services and methods are. When you look at, I was using HP SWF scan, which came out fairly recently, that doesn't actually decompile all of the code for you. When you export that code, it's missing a lot of stuff like the services and stuff like that. So, and I was using so think, but that's commercial so it's not an ideal solution in my mind. And then SWF dump is open source and it gets you enough there to actually manually review the output and figure out what's going on. So that's pretty much it for this tool. Like I said, there's three ways to figure out what the methods and services and gateways are. Looking through the SWF, grepping through that, reverse engineering that, just brute forcing them and then sniffing the network traffic. So I've talked to a couple of people over the last week or two who have had projects where they'd had to do an assessment of flex servers and they said, it's been really useful because there's no real tool for it. So in the future, I hope to make it a little bit easier. I'm not a huge Python fan, so I don't know how much more coding I'm gonna do on it. I was thinking about porting it to Java, but it definitely does what it does for a quick and dirty hack tool and doing pen testing as a profession right now. I've definitely broken into a lot of servers with this. So it does the trick for me. I guess as far as talking about how to fix this stuff, it's kind of like anything else with the web app security stuff is you gotta put access controls on those methods, make sure that there's authorization. It depends on what your language you're writing in and the backend and things like that, but it's not that hard. And a lot of times I think when people use FlexBuilder or other things to build the GUI, they don't think about the backend or they don't really see that part. They think it's automatically taken care of or you have separate groups writing the backend and some people writing the front end or in the front end, they forget about the security controls or they think they can implement it there and they don't need it on the server side. So I don't know, I've had a lot of success with it and it's worked out pretty good for me. So and hopefully, if you guys do any testing, things like that, you can try it out. So if you guys have any questions? I don't know if I have tried it on Lifecycle Data Services 3. I have tried it on the Lifecycle Data Services but I don't know what version it was cause I didn't actually have access to the server. Do you know if there's any changes between the last version and three that would affect this tool? I don't think so honestly because I think it's more of an application code specific thing than really the server. Although some of the error messages that come back are definitely generated by the server. So maybe if those got cleaned up but I would be surprised to tell you the truth. On AIR, if an AIR app is doing flex remoting to a server it would cause it's not really focused on the client side, it's focused on the server side. So if you had an AIR application that did flex remoting with AMF, then yes, it would work. I haven't tried SWF on AIR. SWF dump on an AIR file yet but I feel like it would probably work but I'm not positive. You have a question over here? Right, right. So the question is, if you pull out the methods from the SWF what if there's additional methods that are not in the SWF? How do you find those? The way I've gone about finding those is just brute forcing them. I don't know. Maybe you could find another SWF file that had that information and then do that. But basically brute force, you just guess on that's what I do. I've been pretty successful. I mean people, I have a small word list that I have with the tool basically with a bunch of common getters and setters and common functions and it's pretty successful. I mean I think honestly you could put the biggest word list you want on it and just let it run. I don't think anyone would notice it on their server. Yes, I have a list that you can take to either brute force services or the methods. Yep. Yes, question back here. If you, okay, the question is, if you prefix your methods with certain characters would it make it more difficult or impossible to brute force? I guess it just matters if those characters are in your brute force list, right? I mean it's obfuscation. It's a matter of how big your dictionary is, right? So. All right, well thank you. I'm out of time here but I'll be around if anyone has any questions. Thank you very much.