Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Flash Local-with-filesystem Sandbox Bypass SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Flash Local-with-filesystem Sandbox Bypass

Flash is designed around the "sandbox" concept to only allow access to specific local files, in particular of course flash cookie files. All other local files are off limits to Flash, to prevent malicious Flash applets from exfiltrating information.

Billy Rios, a researcher with some history when it comes to Flash, was able to show how to not only bypass this restriction and allow flash to access local files.

The local file access is amazingly simple: Adobe does allow access to remote files, via the "getURL" function. As pointed out by Billy, the easiest version of this attack would just use "file://" and point to the local system. However, Adobe blocklists certain protocol handlers, so Billy had to find one that was not blocklisted and would provided the access needed. One he found is the "mhtml" handler, which works on modern Windows systems, and is not blocklisted. The user will not be prompted for permission in this case.

http://xs-sniper.com/blog/2011/01/04/bypassing-flash%E2%80%99s-local-with-filesystem-sandbox/

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS Cyber Defense Initiative 2020

Johannes

4005 Posts
ISC Handler
Jan 6th 2011
I can't resist pointing out that a sandbox should use _whitelists_ that list _acceptable_ protocols, not blacklists that doom you to playing whack-a-mole with exploits...

mhtml?
#insert obSuperciliousLinuxUserComment
John Hardin

62 Posts
I just read the linked story, and either I'm misunderstanding, or the writeup here seems to have the rights granted to the SWF in the PoC reversed.

There, it sounds more like the exploit prerequisite is having been granted local filesystem rights. The actual exploit isn't getting at those files, it's getting the data out. Flash is supposed to deny the SWF network access, preventing the SWF from sending what it finds on the local filesystem out. The exploit is using a non-blacklisted protocol handler to gain network access anyhow, thus allowing the SWF to send the contents of the local filesystem to a remote server.

Apologies if I misunderstand.
John Hardin
3 Posts

Sign Up for Free or Log In to start participating in the conversation!