2 0 1 6 9 on 1 3 April, Adobe closed the local file system sandbox sandbox.
Local file system sandbox in existence for twenty years after, finally be Adobe is closed, so that almost all of the use of this function in the Flash file needs to be updated.
We will specifically explain this change in the end why so important, why for Adobe to say this is a huge leap. But before that, or the need to explain to the local file system Sandbox is, and what the modern web browser is how to handle the local file.
What is the local file system Sandbox is? Why is it worth attention?
If you prefer to use ActionScript programming, but not a developer, then you should have heard about the Adobe Flash security sandbox.
Simple to say, the security sandbox control. SWF can be loaded which external resources. The most famous one is the“remote security sandbox”, whose task is to determine a remote host on a Flash file can load what file: each time through the HTTP to load a SWF when the will through which to operate. On the contrary, if in the file:// URI is loaded on a flash file, the SWF file will be stored in the following security sandbox: a local file system sandbox, a local network, The Sandbox, the local trusted sandbox, or AIR application sandbox.
The local network Sandbox is the most common, is also the default setting in the sandbox: it is prohibited the FLASH file is loaded on the local file system resources.
This approach ensures that the local file is not affected by the remote host of security threats, which can prevent some malicious attacker stealing user's private files, passwords or credit card information, etc.
For security reasons, the FLASH player will be all local SWF files are by default stored in a local file system sandbox. SWF can use this sandbox to read the local file, but not in any way connected to the network, which can ensure that user information is not improperly leaked.-- adobe.com
Theory-why this security means whatever?
Theoretically, the security model is easy to use. However, in actual operation it is difficult to correctly achieve the desired effect. This is what Adobe choose to turn off the sandbox reason.
In summary, when we use the URI scheme file:
The FLASH can be connected to the local file system
We will discuss 3 interrelated different events that are all about from a local file system to extract data. The first two use a web browser to RFC 3 9 8 6 to the navigateToURL() passing a malicious command, and from the local file to extract the data. The last one is designed to the Google Chrome running, but it is Clickjacking such antiquated means utilized to leaked data.
The actual operation--why not?
A navigateToURL()--by URI percent encoding to bypass the local sandbox not the letter index to achieve 1 0 0% of
RFC 3 9 8 6, 2.1 after this URI:
Also may be such that:
I created a PoC vulnerability, both HTML files, but also SWF files.
In VIM looks it seems good:
The specific code can be downloaded here: the
The following is a remission Before of the live show:
The following is a relieve after the live show:
B)The navigateToURL() — — abuse of white spaces to bypass the local sandbox
Similar to the above example, the windows local URI has a little known feature is navigateToURL()ignored. This URI