Hi everybody,
I have some Flash application that loads data (external images, SWFs, XMLs) from the same domain. And it was fine until client decided to add load balancers for server. Now we have a number of complaints from users about security errors. It looks like application can’t load external resources treating them as resources from different domain without crossdomain.xml.
One of users that have this problem provided us with followind info:
Browser: IE 8.0
OS: Windows 7
Flash Player version: 10.1.102.64
I have spoken with server administrator and he told me that we have load balancers that work like Round-robin DNS.
In its simplest implementation Round-robin DNS works by responding to DNS requests not only with a single IP address, but a list of IP addresses of several servers that host identical services. The order in which IP addresses from the list are returned is the basis for the term round robin. With each DNS response, the IP address sequence in the list is permuted. Usually, basic IP clients attempt connections with the first address returned from a DNS query so that on different connection attempts clients would receive service from different providers, thus distributing the overall load among servers.
So I have thought that problem occures as result of following sequence:
[LIST=1]
[]While application loading, it’s SWF obtained from http://domain.com, which resolved by load balancer to IP1.
[]Then, during external data (data.xml, for example) loading, load balancer changes domain mapping to IP2.
[]Flash Player thinks: “Ok, so I have SWF loaded from IP1 that wants to load data from IP2. It’s different domain (?). Well, I let it to load data in case there are crossdomain.xml on target domain.”
[]Than Flash Player requests crossdomain.xml, but from target domain, not target IP2.
[]Load balancer changes domain mapping once again and Flash Player loads crossdomain.xml from IP1.
[]Finally we have: SWF loaded from IP1, data requested from IP2, crossdomain.xml loaded from IP1. All of them can be accessed through the same domain, but have different IPs.
[*]Because of IPs difference, Flash Player ignores crossdomain.xml and triggers security error.
[/LIST]
I’m not sure it happens exactly like that, since for older versions of Flash Player I have found the following words:
The basis of domain comparison is the domain name, not IP address.
So I’m not sure about 3.
Also I have spent some time to dig into Policy file changes in Flash Player 9 and Flash Player 10 and found some words regarding DNS:
A class of cross-site scripting attacks known as DNS rebinding can target Flash Player, as well as browsers, virtual machines, and other user-agent programs. A DNS rebinding attack exploits a user-agent’s same-origin policy, in which content from a given Internet domain is permitted to load and communicate with other resources in its own domain without explicit permission. An attacker who controls their own domain, and runs their own DNS server, can dynamically reconfigure their DNS server so that a given domain name resolves first to an IP address under the attacker’s control (which may be used to serve a malicious SWF file or other content), then later to a different IP address that the attacker does not control. If the user-agent program does not detect the change in IP addresses, its same-origin policy will permit the attacker’s content to access the second IP address without permission from the second host. Flash Player relies on browsers to provide HTTP networking, so any rebinding vulnerabilities that involve only HTTP must be solved in browsers.
So, I have two questions after all of that:
[LIST=1]
[] Can someone tell me how exactly domain comparison for HTTP-connections works in latest versions of Flash Player? Can two resources obtained by address with same domain name but from different IPs treatened as obtained from different domains?
[] Maybe someone have info about DNS rebinding in different browsers?
[/LIST]
