Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - Flash Local-with-filesystem Sandbox Bypass InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Flash Local-with-filesystem Sandbox Bypass

Published: 2011-01-06
Last Updated: 2011-01-06 04:52:41 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

Flash is designed around the "sandbox" concept to only allow access to specific local files, in particular of course flash cookie files. All other local files are off limits to Flash, to prevent malicious Flash applets from exfiltrating information.

Billy Rios, a researcher with some history when it comes to Flash, was able to show how to not only bypass this restriction and allow flash to access local files.

The local file access is amazingly simple: Adobe does allow access to remote files, via the "getURL" function. As pointed out by Billy, the easiest version of this attack would just use "file://" and point to the local system. However, Adobe blacklists certain protocol handlers, so Billy had to find one that was not blacklisted and would provided the access needed. One he found is the "mhtml" handler, which works on modern Windows systems, and is not blacklisted. The user will not be prompted for permission in this case.

http://xs-sniper.com/blog/2011/01/04/bypassing-flash%E2%80%99s-local-with-filesystem-sandbox/

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: adobe flash
2 comment(s)
Diary Archives