Kingdom: API Abuse
An API is a contract between a caller and a callee. The most common forms of API abuse are caused by the caller failing to honor its end of this contract. For example, if a program fails to call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller abuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated.
Dangerous Function: ASNative
Abstract
Using the ASNative undocumented function enables an attacker to inject malicious functionality into the application.
Explanation
Use of ASNative function was detected. ASNative is an undocumented function reference list. Developers can use the list to call Flash system functions by using indices into the list. For example, the trace() function can also be referenced as ASNative(100, 4). Because the use of ASNative allows a developer to hide the intended function name, this could indicate malicious intent. Support for ASNative is discontinued for Flash Player versions 7 and later. Malware developers can use the ASNative function to hide malicious content from auditors. This might indicate malicious activity being performed by the Flash application.
Example 1:
ASNative(100, 4)("Hi"); //is equivalent to trace("Hi");
Example 1:
ASNative(100, 4)("Hi"); //is equivalent to trace("Hi");
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 676
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[3] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[6] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 676
[7] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP2060.4 CAT II
[8] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP2060.4 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP2060.4 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP2060.4 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP2060.4 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP2060.4 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP2060.4 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
desc.dynamic.actionscript.dangerous_function_asnative