Flash Broker-Based Sandbox Escape via Forward Slash Instead of Backslash

2015-08-19T00:00:00
ID EDB-ID:37840
Type exploitdb
Reporter KeenTeam
Modified 2015-08-19T00:00:00

Description

Flash Broker-Based Sandbox Escape via Forward Slash Instead of Backslash. CVE-2015-3082. Remote exploit for windows platform

                                        
                                            Source: https://code.google.com/p/google-security-research/issues/detail?id=278&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

FlashBroker - Junction Check Bypass With Forward Slash IE PM Sandbox Escape

1. Windows 8.1 Internet Explorer Protected Mode Bypass in FlashBroker

FlashBroker is vulnerable to NTFS junction attack to write an arbitrary file to the filesystem under user permissions.

There is a bad check in FlashBroker BrokerCreateFile method and BrokerMoveFileEx method. FlashBroker only considers "\" as delimiter. If the destination includes "/", FlashBroker will use a wrong destination folder for check.

The PoC writes calc.bat to startup folder. It has been tested by injecting the dll into 32-bit low integrity level IE process with Adobe Flash Player 16.0.0.305 (KB3021953) installed. It does not work in IE11 EPM as it needs to write normally to the temporary folder to setup the junction.

2. Credit
Jietao Yang of KeenTeam (@K33nTeam) is credited for the vulnerability.

Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37840.zip