CVE-2 0 1 6-4 2 7 1:Flash local file system sandbox bypass-vulnerability warning-the black bar safety net

2016-10-06T00:00:00
ID MYHACK58:62201679850
Type myhack58
Reporter 佚名
Modified 2016-10-06T00:00:00

Description

2 0 1 6 9 on 1 3 April, Adobe closed the local file system sandbox sandbox.

Local file system sandbox in existence for twenty years after, finally be Adobe is closed, so that almost all of the use of this function in the Flash file needs to be updated.

We will specifically explain this change in the end why so important, why for Adobe to say this is a huge leap. But before that, or the need to explain to the local file system Sandbox is, and what the modern web browser is how to handle the local file.

What is the local file system Sandbox is? Why is it worth attention?


If you prefer to use ActionScript programming, but not a developer, then you should have heard about the Adobe Flash security sandbox.

Simple to say, the security sandbox control. SWF can be loaded which external resources. The most famous one is the“remote security sandbox”, whose task is to determine a remote host on a Flash file can load what file: each time through the HTTP to load a SWF when the will through which to operate. On the contrary, if in the file:// URI is loaded on a flash file, the SWF file will be stored in the following security sandbox: a local file system sandbox, a local network, The Sandbox, the local trusted sandbox, or AIR application sandbox.

The local network Sandbox is the most common, is also the default setting in the sandbox: it is prohibited the FLASH file is loaded on the local file system resources.

This approach ensures that the local file is not affected by the remote host of security threats, which can prevent some malicious attacker stealing user's private files, passwords or credit card information, etc.

Similarly, the local file system sandbox(compile ActionScript code can be selected when the purpose is to allow a remote host from a local file, but the design principle is the opposite: the SWF can access the local file system on each file, but it cannot access the remote network. It is worth noting that this function is not in Javascript enabled--because the Javascript will be in this similar sandbox“stuck”on.

For security reasons, the FLASH player will be all local SWF files are by default stored in a local file system sandbox. SWF can use this sandbox to read the local file, but not in any way connected to the network, which can ensure that user information is not improperly leaked.-- adobe.com

Theory-why this security means whatever?


Theoretically, the security model is easy to use. However, in actual operation it is difficult to correctly achieve the desired effect. This is what Adobe choose to turn off the sandbox reason.

As previously mentioned, the local file system sandbox of the SWF in either case are not connected to the network. In an HTML document, SWF is a variety of non-compliance with the principles of the technology of the surround: this is similar to Javascript. Herein is the report of every vulnerability behind the real reasons are unable to ensure with remote network communication technology can not read the FLASH file.

In summary, when we use the URI scheme file:

The FLASH can be connected to the local file system

Javascript can send data to a remote host

Obviously, the attacker and the user's local file between the only obstacle is that the Javascript cannot read FLASH. FLASH will try to stop every possible leak of information to the Javascript function, but it failed.

We will discuss 3 interrelated different events that are all about from a local file system to extract data. The first two use a web browser to RFC 3 9 8 6 to the navigateToURL() passing a malicious command, and from the local file to extract the data. The last one is designed to the Google Chrome running, but it is Clickjacking such antiquated means utilized to leaked data.

The actual operation--why not?


A navigateToURL()--by URI percent encoding to bypass the local sandbox not the letter index to achieve 1 0 0% of

As previously said, even if the SWF is in the local file system sandbox, was also you can use the navigateToURL (). Obviously, if we try to from a remote network to obtain the file, will pop up a security exception, but you can still access the local files. Considering Javascript can read the URL information in the navigateToURL()is in FLASH and Javascript interaction information best choice. Adobe in found this case after taking a lot of ways to modify, but have neglected the%encoding, let's look at this situation the possible consequences.

RFC 3 9 8 6, 2.1 after this URI:

|

1

|

navigateToURL(new URLRequest("file:///tmp/attack-this-sandbox.html"));

---|---

Also may be such that:

1

|

navigateToURL(new URLRequest("file:///tmp/%61ttack%2Dthis-sandbox.html"));

---|---

Although both are effective, but still not the same. Mozilla Firefox and Safari in Javascript simply read the document you can find the two different. In this manner, FLASH and Javascript interaction: that is you can bypass the local file system sandbox to reach the external network. Following this PoC is to use this concept to steal credit card numbers.

Proof-of-concept

I created a PoC vulnerability, both HTML files, but also SWF files.

In VIM looks it seems good:

! /Article/UploadPic/2016-10/2 0 1 6 1 0 6 1 3 4 4 2 8 6 1 0. png

The specific code can be downloaded here: the

<http://lab.truel.it/wp-content/uploads/2016/09/Fun-with-percent-encoding.zip>

The following is a remission Before of the live show:

The following is a relieve after the live show:

B)The navigateToURL() — — abuse of white spaces to bypass the local sandbox

Similar to the above example, the windows local URI has a little known feature is navigateToURL()ignored. This URI

1

|

navigateToURL(new URLRequest("file:///C:/attack-this-sandbox.html"));

---|---

[1] [2] next